To have configurations in
sshd_config on a
per-user or a
per-group basis you need to use the
Match Group and
Match User directives.
Example
To prevent say remotely running GUI programs for all users save some you can use the following snippet. You can of course make other modifications.
# Disable X11 Forwarding and TCP Forwarding.
X11Forwarding no
AllowTcpForwarding no
# This to enable for a group called "X11AllowedList" that you created with
# its respective members.
Match Group X11AllowedList
X11Forwarding yes
AllowTcpForwarding yes
## OR ##
# Or this to enable for a user specifically.
Match User johndoe
X11Forwarding yes
AllowTcpForwarding yes
Summary
The indentation is what makes this possible.
Match User johndoe
X11Forwarding yes
Advanced: To Restrict Commands
If you want something more sophisticated than just preventing some GUI executions, you will want to create a restricted shell so that the users have limited access. This would then be force executed soon as someone logs in using the
ForceCommand Directive as follows:
ForceCommand /usr/local/bin/strict_shell
No comments:
Post a Comment