Skip to Content

How to add sub ssh users on remote servers and restrict commands via sudoers file

How to create sub SSH users on remote servers and restrict commands via sudoers file


This article  describes how to  create a sub ssh user  ( "isotech" ) on a remote server ( configured with root as the Remote SSH Login user), limit the actions to running the commands tcpdump and to download files to the dir /home/solusvm/kvm/iso )  using wget.

Step1: Create Managed Sub SSH user “isotech”.  

NOTE : Increase the PHP maximum execution time in seconds on the Gateway server.  This directive max_execution_time would specifiy the maximum time in seconds that a PHP script is allowed to run before it’s terminated. 

root@gateway ~# read -p "Enter new maximum execution time (e.g., 900): " time && sudo sed -i "s/^max_execution_time =.*/max_execution_time = $time/I" /etc/php/$(php -v | head -n 1 | awk '{print $2}' | cut -d. -f1,2)/cli/php.ini 

root@gateway~# read -p "Enter new memory limit (e.g., 2G): " memory && sudo sed -i "s/^memory_limit =.*/memory_limit = $memory/I" /etc/php/$(php -v | head -n 1 | awk '{print $2}' | cut -d. -f1,2)/cli/php.ini 

root@gateway~# systemctl restart apache2 

       1.a. Under sub ssh user > specify the username and Save it.  

               This will create the user “isotech” on all remote servers. (n number of servers.) 

Step 2: Run the following commands via parallel shell to run in the sudoers file.    

~# echo "isotech ALL=(ALL) NOPASSWD: /usr/bin/tcpdump" >> /etc/sudoers 

          2 .a. Check the syntax of sudoers file on remote servers. 

~# visudo –c

Step 3 : Login to the SolosVM Masters server. Change the user home directory and grant permissions to the directory as shown below. 

 ~# usermod -d /home/isotech/kvm/iso isotech ; chmod 777 /home/isotech/kvm/iso 

Step 4 :   Map the sub ssh user ”isotech” to ”SolosVM Masters GRP” server group and ”Junior Techs” UserGroup. This will ensure that the gateway users belonging to ”Junior Techs” would login to ”SolosVM Master server” as the non-privileged user ”isotech”. 

Step 5 : Login to ezsh shell as ssh gateway user “tom” (“junior tech”) and login to a remote server (“SolusVM”) and run “tcpdump” / “wget" command to download the files.

Related Articles:

What is Sub SSH?

How to configure Role-Based Access Control?

How to grant Parallel Shell privilege for a user?

How to increase speed execution in Parallel Shell?

How to execute command on a custom group of servers?