Author: Andrew McGlashan Date: To: dng Subject: Re: [DNG] [OT] Restricting user capabilities after ssh login
Hi,
On 12/08/18 14:55, mett wrote: > I m wondering about the best way to restrict a user after he has
> ssh'd into his web folder.
I solved this problem a different way.
Created a VM just for the required user(s). They needed to provide
their static IP address and a public key for the authorized_keys file.
Only they could login to their own VM and only from a trusted IP
address with their private key (hopefully protected with a decent
password/passphrase).
The VM mounted particular directories so that the user could access
those alone in their restricted VM without any direct access to the
main host that has shared and non-shared files for others.
As the VM spins up, so to speak, a process mounts the required
directories as the correct user and if they adjust those files, then
the main server will get those adjustments, but they cannot change
ownership of any file (they can, but it won't propagate to the main
server).
There are still risks, they can be bad and place files in their own
areas on the server that might try to do something that would be
frowned upon, such as trying to break security with some kind 0f
executable code (perhaps website code). Some trust is needed, but if
they abuse that trust and get found out, then there would be hell to
pay as I'll cut them off completely and only allow update to files
much less directly.