Environment: CentOS 7

I would like to have a solution where a service account can access a server in only these ways:

The purpose is to make users log in to the server as themselves, and then switch user, but also to allow the service account to interact with itself through scripted processes from other servers.

I have tried these steps already
/etc/ssh/sshd_config:

Code:

Match User $serviceaccount
   PermitTTY no

This one actually does nothing except prevent a nice-looking terminal. The user still gets an interactive shell.

/home/serviceaccount/.ssh/authorized_keys:

Code:

command="/usr/local/bin/oneshellscripttorulethemall.sh" ssh-rsa AAAAAA....

Users can modify it, plus I cannot guarantee that every connection uses an ssh key.

/etc/passwd

Code:

serviceaccount:x:1500:1500:service account:/home/serviceaccount:/sbin/nologin

/sbin/nologin: prevents all logins, except "sudo -su $serviceaccount"
/bin/false: fails out entirely
/bin/true: does not allow any activity at all
custom wrapper script: A custom script that checks for "$@" and reacts to it might be my only choice and I will continue experimentation. But it could get weird for the local users who su $serviceaccount.


Users could just get a shell over there, and ssh in directly to an interactive shell.

In conclusion

I am interested in any and all attempts to meet the goals described above: Paid solutions, free solutions, hacky shell scripts, ssh config customization, custom default shells, wrapper scripts, etc. I would be pleased to see even partial answers, and I can bang away on adding the missing portions.


Is what I'm aiming for reasonable, or even possible?