Limit SSH User to a shell command

2020-03-26 03:54发布

My question is

how can I allow an user to ssh to my server with limitation to a shell command and a directory?

My situation

I'm using git to deploy code to my Server. I have 2 servers, 1st one is product server, 2nd one is a git server.

My team use git server to pull/push code.

At my product server, I setup git client. Whenever I want to publish a version, I push it to my git server (master or other branches ...), then I ssh into my product server to pull the code.

I want to share the code pulling privilege with my teammates, but don't want to allow them to run any command but git, and limit them in a directory only.

The owner of directory that I want to limit is apache:apache, so it will be very good if the ssh user run by apache privilege.

Thank you,

Solved: I've used lshell with a limit set of commands.

标签: git shell ssh
2条回答
Juvenile、少年°
2楼-- · 2020-03-26 04:36

You should consider gitolite, which is an authorization layer which can ssh forced command.

And ssh forced command is there precisely to limit ssh to one unique command (in the case of gitolite, a script which will control access right, and make sure only git commands are executed).

forced command

Even if you don't use gitolite, ssh forced command alone (not linked to git at all) is still interesting to consider, in order to control and limit what a user can do through an ssh session.


The OP Tarzan, who didn't want to install another service, installed another service (Ishell), which is precisely based on ssh forced command ;)

查看更多
太酷不给撩
3楼-- · 2020-03-26 04:51

A simple command to disable the shell in a git user is to replace the /usr/bin/bash with /usr/bin/git-shell. Replace it in the /etc/password file or using the command:

usermod -s /usr/bin/git-shell [username]

Check this document from the official Git website: Setting Up the Server. Additional info if you want to have a shell on it but limiting it to a directory use: rbash. Same as git-shell just replace the user shell with it.

查看更多
登录 后发表回答