Restrict Commands for SSH Users

Last updated: March 18, 2024

Reviewed by: Michal Aibin

1. Overview

SSH is one of the most used applications for connecting to remote machines and working on them in a secure manner. It helps connect to a remote server and work on it as we are doing it locally.

There are many features SSH offers, and one of them is to restrict the commands a logged-in user can run.

Let’s have a look at how this is done.

2. The authorized_keys File

SSH comes with a few configuration files, and authorized_keys is one of them. We use it to manage the different hosts and users connecting to the SSH server. Using this configuration file, we can set up an auto-login to the remote server. We can find the authorized_keys file in the ~/.ssh/ folder. However, we can set a different path in the /etc/ssh/sshd_config.

To restrict the commands, we need to modify the authorized_keys file. A sample configuration would be as below:

from="192.168.1.10",command="/usr/bin/ls" ssh-rsa AAAAB3NzaC1yc2E...OrsMdr bluelake@Pacific

This configuration in the authorized_keys will limit the user to run only the ls command.

The relevant attributes are from and command. The from attribute specifies the client which is trying to connect to the SSH server. We can specify the hostname or IP here. If there are multiple hosts, we can mention all of them separated by a comma. Finally, the command specifies the command allowed to run. We have to supply the command with a full path to it here. Unfortunately, we cannot specify multiple commands here

3. Using a Script

Even though this is a powerful feature, there is no real utility in this since there is only one command the user can run.

Instead of specifying the command, if we specify a script, we can enable the user to do more.

Let’s modify the configuration to allow this behavior as below:

from="192.168.1.10",command="/usr/local/bin/select.sh" ssh-rsa AAAAB3NzaC1yc2E...OrsMdr bluelake@Pacific

The only change is that the command ls is replaced by a select.sh script.

The contents of the script are as below:

#!/bin/bash
echo "1. ls"
echo "2. ping 8.8.8.8 -c 5"
echo "3. top"
read -p 'Choice: ' choice # Read the choice from user
case $choice in
	1)
		ls
		;;
	2)
		ping 8.8.8.8 -c 5
		;;
	3)
		top
		;;
	*)
		exit
		;;
esac

This is a simple script. It reads the user’s input at line 5 and runs the commands depending on the user’s choice.

This actually gives us more flexibility in running different commands. If this is put inside a loop, then the user can run multiple commands in a single session.

4. Conclusion

As we have seen, we can restrict the SSH users to running a particular command. Or better yet, by using a script, we can allow the user to give more choices of commands, thereby increasing the utility of this feature. Furthermore, from a security standpoint, this reduces the vulnerability of the machine since we are allowing only specific commands which users can run.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.