25

If a user has loginShell=/sbin/nologin is it still possible to 

ssh user@machine [command]

assuming that the user has proper ssh keys in its home directory that can be used to authenticate?

My goal is to keep the user as a nologin, but still able to execute commands on a few other machines on the network (similar to its use through 'sudo -u'), and am wondering if this is a reasonable course.

Centimane
  • 4,420
  • 2
  • 21
  • 45
  • 1
    It should work. The `command` is run *instead* of the login shell. – orion Feb 10 '15 at 14:43
  • 1
    This defeats the purpose of configuring `/sbin/nologin` as a shell. If your concern is security of the account then disabling password auth and using ssh keys is sufficient. – Creek Feb 10 '15 at 20:03
  • @Creek there's a difference between login shells and other instances of shell. So, what he's asking doesn't necessarily defeat the purpose of /sbin/nologin. It may be he wants to perform some work outside of the context of a login shell. – Michael Martinez Feb 10 '15 at 22:17
  • 8
    @orion Wrong. The command is executed *by* the login shell. – Gilles 'SO- stop being evil' Feb 10 '15 at 22:39
  • @MichaelMartinez in the context of his example, if user's shell is `/sbin/nologin` then user won't be able to login or execute commands on machine. cronjobs can be ran as user and `sftp` can be configured to open sessions, but opening a shell via ssh won't happen – Creek Feb 11 '15 at 00:51

3 Answers3

27

Setting /sbin/nologin as the user's shell (or /bin/false or /bin/true, which are almost equivalent) forbids the user from logging in to run any command whatsoever. SSH always invokes the user's login shell to run commands, so you need to set the login shell to one that is able to run some commands.

There are several restricted shells that allow users to run only a few commands. For example rssh and scponly are both such shells that allow the user to run a few predefined commands (such as scp, sftp-server, rsync, …). See also Restrict user access in linux and Do you need a shell for SCP?

Community
  • 1
Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • Thank you, I ended up resigning to giving the account a login shell so that it could run the remote commands. The better solution would probably have been ssh as current user and call sudo -u for the ssh command, but that isn't entirely applicable in my case. – Centimane Feb 19 '15 at 14:45
1

It seem the answer is no.

ssh user@machine [command]

with ssh keys in place only results in:

This account is currently not available

rather than the command executing, seems I'll have to give it access to bash.

Centimane
  • 4,420
  • 2
  • 21
  • 45
-4

I don't know whether that is possible (should be easy to test though) but there is a feature which probably answers your question in a certain way and in any case solves your problem.

You can add a command to the key line in authorized_keys. In that case this command is executed, nothing else. I assume this works with /sbin/nologin as the shell should be ignored anyway.

But you would need a different key for every command you allow.

Hauke Laging
  • 88,146
  • 18
  • 125
  • 174
  • Unfortunately the solution I need would have to be more flexible than this – Centimane Feb 10 '15 at 18:17
  • 1
    if it's easy to test, then you should test it before writing an answer. – Michael Martinez Feb 10 '15 at 21:45
  • @MichaelMartinez It's the questioner's task to make easy tests before asking. It's not difficult to notice that did not answer the question but made a proposal for the problem which caused the question. Which is perfectly suitable as an answer. Downvoting this is just stupid. Would you have criticized the answer without the first paragraph? Exactly. – Hauke Laging Feb 10 '15 at 22:27
  • 3
    The command in `authorized_keys` is executed by the login shell, so no, this doesn't work (not without additional non-trivial configuration). (How is downvoting a wrong answer “stupid”? Please [respect others](http://unix.stackexchange.com/help/be-nice).) – Gilles 'SO- stop being evil' Feb 10 '15 at 22:42