Enforcing ssh login shell for ssh gateway users selectively in sshd_config file

336 admin June 22, 2021 Productivity & Efficiency Features, Security Features 3302

Enforce login shell for ssh users in sshd configuration file.

By default the Ezeelogin gateway users are assigned the shell /usr/local/bin/ezsh however you may want the gateway users to have OS level access ( /bin/bash shell ) when they login via ssh

[[email protected] ~]# finger ezadmin

Directory: /home/ezadmin Shell: /usr/local/bin/ezsh

You can force every user into the /usr/local/bin/ezsh shell and exclude selected users by having the following parameters included in the /etc/ssh/sshd_config file of the gateway box. Append the following lines to the config file

[[email protected] ~]# /etc/ssh/sshd_config

Match User !root,!ted,!ben,?*
ForceCommand /usr/local/bin/ezsh

[[email protected] ~]# service sshd restart

In the above example, it would enforce all the users to default to the shell /usr/local/bin/ezsh on ssh login except for the users root,ted,ben

This would be the recommended way as it improves security by denying a /bin/bash shell for the ssh gateway users who do not need OS level access on the gateway server and forcing them into the ezsh shell.

The users root,ted, ben has been excluded hence would get OS level access ( /bin/bash shell on ssh login) and need to simply run the command ezsh to get the ezsh shell interface.

To force the ezadmin user to the /bin/bash shell, run the following on the gateway box and exclude the user ezadmin in /etc/ssh/sshd_config file only if ForceCommand parameters are in use.

[[email protected] ~]# chsh -s /bin/bash ezadmin.

Refer the article to run sshd to listen on multiple ports so that gateway user is assigned bash shell on one port and ezsh shell on the other port in ssh.

1 people found this article helpful what about you?