Skip to Content

How do I restrict commands that a user can execute in ssh in ezsh shell ?

10  Manu Chacko January 20, 2023  Security Features

Restrict commands in the Ezeelogin jump server shell 

Ezeelogin uses IEEE Std 1003.2 (“POSIX.2”) regular expressions in the command guard.

Note: Command guard is an experimental feature (user can bypass command guard by using scripts, up arrow key, tab key, etc).

1. Enable command guard from Ezeelogin GUI > Settings > General > Security > Command Guard > Enable

2. Add a command group from Ezeelogin GUI > Command Guard > Command Groups > Add Group

Click  on the right menu to open add command group form.   

3.  Add command from Ezeelogin GUI > Command Guard > Commands > Add command 

Click    add command form. Enter the name and regular expression for the command you want to add and click 

Refer below example to test if a string matches the regular expression given for a command, click on the test icon towards the right of the command in the command list.  

For example, the following image shows regular expressions to block a user from executing the " kubectl " command with the " delete " option

The following image shows another example of a regular expression to delete files and directories from the command line with '' rm -rf ''.

regular expression

4. Add the command to Command Group from Ezeelogin GUI > Command Guard > Command groupActions > Click on the Commands icon  

Refer user manualhttps://www.ezeelogin.com/user_manual/CGM.html

5. Edit the user, choose the command group and Allow / Disallow commands for the user.

Select the command group from the Drop down windows and select Allow / Disallow to allow or disallow commands in the command group selected. 

Allow will let the user execute only those commands matching the regular expression of commands in the command group

Disallow will prevent the user from executing any of the commands matching the regular expression of commands in the command group and will let the user execute all other commands. 

How to allow the user to switch when the command guard is enabled?

1. Following image shows how to add the regular expression for the switch user.

2. Add the password of the user in the regular expression field and enable the password button to save it with hashing.

3. Navigate to command guard group -> click on the command's icon and select all commands that need to be added to the group.

4. Edit the user and select the command guard group from the dropdown and enable allow to allow those commands for that user.

5. Login to the ezsh (Ezeelogin shell) as the same user, type in su - username to switch user, and provide the correct password when prompted. Refer to the below example.

 

Related Articles

Assign command guard groups for users or user groups

Slowness in SSH Session

 
Rating: 5 (1 Votes)