Enforcing ssh login shell for ssh gateway users selectively in sshd_config file

336 admin June 22, 2021 Productivity & Efficiency Features, Security Features 4725

Enforce login shell for ssh users in sshd configuration file.

By default the Ezeelogin gateway users are assigned the shell /usr/local/bin/ezsh however you may want the gateway users to have OS level access ( /bin/bash shell ) when they login via ssh

[root@jumpbox ~]# finger ezadmin

Directory: /home/ezadmin Shell: /usr/local/bin/ezsh

You can force every user into the /usr/local/bin/ezsh shell and exclude selected users by having the following parameters included in the /etc/ssh/sshd_config file of the gateway box. Append the following lines to the config file

[root@gw01 ~]# /etc/ssh/sshd_config

Match User !root,!ted,!ben,?*
ForceCommand /usr/local/bin/ezsh

[root@gw01 ~]# service sshd restart

In the above example, it would enforce all the users to default to the shell /usr/local/bin/ezsh on ssh login except for the users root,ted,ben

This would be the recommended way as it improves security by denying a /bin/bash shell for the ssh gateway users who do not need OS level access on the gateway server and forcing them into the ezsh shell.

The users root,ted, ben has been excluded hence would get OS level access ( /bin/bash shell on ssh login) and need to simply run the command ezsh to get the ezsh shell interface.

To force the ezadmin user to the /bin/bash shell, run the following on the gateway box and exclude the user ezadmin in /etc/ssh/sshd_config file only if ForceCommand parameters are in use.

[root@gw01 ~]# chsh -s /bin/bash ezadmin.

Refer the article to run sshd to listen on multiple ports so that gateway user is assigned bash shell on one port and ezsh shell on the other port in ssh.

2 people found this article helpful what about you?