Restrict service account from direct interactive sessions

Tags
account, advanced, interactive, service, session, ssh

 
Thread Tools Search this Thread
# 1  
Old 10-05-2018
Restrict service account from direct interactive sessions

Environment: CentOS 7

I would like to have a solution where a service account can access a server in only these ways:
  • ssh non-interactively via password or ssh key; that is, run commands or scripts (but running anything in /etc/shells will not be allowed)
  • not ssh interactively
  • regular users can su $serviceaccount or otherwise get an interactive shell

The purpose is to make users log in to the server as themselves, and then switch user, but also to allow the service account to interact with itself through scripted processes from other servers.

I have tried these steps already
  • sshd_config no ttys
/etc/ssh/sshd_config:
Code:
Match User $serviceaccount
   PermitTTY no

This one actually does nothing except prevent a nice-looking terminal. The user still gets an interactive shell.

  • commands in ~/.authorized_keys
/home/serviceaccount/.ssh/authorized_keys:
Code:
command="/usr/local/bin/oneshellscripttorulethemall.sh" ssh-rsa AAAAAA....

Users can modify it, plus I cannot guarantee that every connection uses an ssh key.

  • altering default shell in /etc/passwd
/etc/passwd
Code:
serviceaccount:x:1500:1500:service account:/home/serviceaccount:/sbin/nologin

/sbin/nologin: prevents all logins, except "sudo -su $serviceaccount"
/bin/false: fails out entirely
/bin/true: does not allow any activity at all
custom wrapper script: A custom script that checks for "$@" and reacts to it might be my only choice and I will continue experimentation. But it could get weird for the local users who su $serviceaccount.


  • restrict logins from certain IPs (the other servers who are using the service account)
Users could just get a shell over there, and ssh in directly to an interactive shell.

In conclusion

I am interested in any and all attempts to meet the goals described above: Paid solutions, free solutions, hacky shell scripts, ssh config customization, custom default shells, wrapper scripts, etc. I would be pleased to see even partial answers, and I can bang away on adding the missing portions.


Is what I'm aiming for reasonable, or even possible?
# 2  
Old 10-05-2018
Looks unreasonably complex to implement yes, with requests for functionality overlapping.

Is there another approach for desired outcome ?
Perhaps some web server and actual application....

You will have many issues with implementing your entire functionality using one user and SSH protocol.
If you manage to do that in the end you will have a hacky mess.

Perhaps more service users with separated privileges.
Linux and unix systems are multi user environments in their essence, so exploit that as much as you can.

Hope that helps
Regards
Peasant.
# 3  
Old 10-05-2018
I started a possible tool to watch the logs and deal with shell sessions, but it can be easily defeated with a ssh remoteserver /bin/bash.
Code:
#!/bin/sh
# startdate: 2018-10-05 13:20
# Purpose: if a service account user logs in interactively, then kill it.
# incomplete. Can be foiled with: ssh -t clonetest210 /bin/bash
# improve: how to retrieve log entries to check

# Sample journalctl output.
# Oct 05 13:12:52 clonetest210 sshd[1868]: Starting session: shell on pts/3 for bgstack15-local from 10.200.18.240 port 59349 id 0

# Dependencies: sshd_config LogLevel VERBOSE
# journalctl -f -u sshd is not sufficient. I cannot tell what unit logs the notice seen above.

BADUSERS="(bgstack15-local|prophetess)"

journalctl -n100 | grep -oE "sshd\[.{1,10}\]: Starting session: shell on .* for ${BADUSERS} from .*" | awk '{print $1,$6,$8,$10}' | while read longpid tty tu srcip ;
do
   pid="$( echo "${longpid}" | tr -dc "[:digit:]" )"
   echo "Found login: ${tu} from pid ${pid} from ip ${srcip} and made terminal ${tty}"

   # investigate that current pid. if it exists and is sshd, kill it
   psout="$( ps -e -o pid:9,ppid:9,user:15,command:90 2>/dev/null | awk "\$1 == $pid" )"
   if test -n "${psout}" && echo "${psout}" | grep -qE "sshd:" ;
   then
      echo "need to warn user ${tu} on tty ${tty} and then kill pid ${pid}"
      printf "\n%s\n" "Interactive sessions are not allowed for user ${tu}." > "/dev/${tty}"
      sleep 0
      kill "${pid}"
   fi
done


|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
Allow AD service account SSH to Linux systems without 2FA davidpar007 UNIX for Beginners Questions & Answers 0 06-14-2018 12:00 AM
What happens to your skype account if you close outlook.com email account? milhan Windows & DOS: Issues & Discussions 0 01-22-2018 03:37 PM
Procedure to restrict direct access as root dio34 AIX 3 06-16-2016 06:49 AM
Can I restrict IP and AIX account at the same time? nnnnnnine AIX 6 05-25-2016 02:33 PM
Simultaneously try to execute commands after connecting to remote account to one account kishored005 How to Post in the The UNIX and Linux Forums 1 03-03-2016 11:00 AM
Su-only account with ssh capability and no interactive login naveendronavall Red Hat 1 01-20-2014 06:51 AM
Manipulating sed Direct Input to Direct Output the0nion Shell Programming and Scripting 7 01-23-2013 01:54 PM
Direct/scsu access to unix account runnerpaul Solaris 2 05-21-2010 10:00 AM
How to write script that behaves both in interactive and non interactive mode rits Homework & Coursework Questions 8 08-18-2009 12:47 AM
Help with Interactive / Non Interactive Shell script rits Homework & Coursework Questions 1 08-16-2009 05:39 PM
Apply disk quota to account(dedicate 3 GB to account). ashokd009 Linux 1 06-17-2009 12:32 PM
Change Account to not lock account if password expires stringzz UNIX for Dummies Questions & Answers 1 04-04-2008 06:31 PM
Setting an account to be a non-login account automatically? LordJezo UNIX for Dummies Questions & Answers 0 06-16-2006 10:28 AM
How to restrict account to one log-in? Egroman UNIX for Dummies Questions & Answers 0 09-02-2004 04:59 AM