2

Is it possible in the openssh-server config, to force a subset of users to use a different shell than the one defined for them in /etc/passwd?

Say that i, for example, want to confine all users logging on from outside a certain IP range to git-shell?

Martin Nielsen
  • 123

1 Answers1

3

You could use a ForceCommand along with Match:

Match Address 10.1.0.0/16
    ForceCommand /usr/bin/git-shell

From man sshd_config:

 Match   Introduces a conditional block.  ...
         The arguments to Match are one or more criteria-pattern pairs or
         the single token All which matches all criteria.  The available
         criteria are User, Group, Host, LocalAddress, LocalPort, and
         Address.
 ForceCommand
         Forces the execution of the command specified by ForceCommand,
         ignoring any command supplied by the client and ~/.ssh/rc if
         present.  The command is invoked by using the user's login shell
         with the -c option.

So, the command you specify would be executed using the user's login shell, which must accept the -c option. The connection is closed when the command exits, so for all practical purposes, that command is their shell.

muru
  • 197,895
  • 55
  • 485
  • 740
  • I was not aware that the command closed when the command exits. Thats brilliant. I did consider that option but i was afraid that the user could just exit and return to their actual shell. But yes that is exactly what i was going for then:) – Martin Nielsen Oct 25 '14 at 21:22
  • @MartinNielsen it's like this: When a shell is started with a command (bash -c git-shell, or sh -c vim), the shell exits when the command exits. – muru Oct 26 '14 at 10:29