Put `ForceCommand` in a user-specific configuration file

Question

I'm trying to restrict an SSH-tunnel user.

# sudo cat /home/user/.ssh/config
Banner none
ChrootDirectory /home/%u
PasswordAuthentication no
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
ForceCommand /bin/false

However, none of these seem to have any effect.

When I prepend /home/user/.ssh/authorized_keys with no-pty,no-agent-forwarding,no-X11-forwarding,command="/bin/false" it works, but I'd like to also include these directives into permanent configuration.

Is it possible to restrict a user this way without updating /etc/ssh/sshd_config?

UPDATE I know about Match User and Match Group; the point is to have this in a user-specific config.

steve · Accepted Answer · 2018-08-24T21:59:07.707

1

Regarding /home/user/.ssh/config, that's purely for ssh client itself, used on the machine initiating the ssh connection. So not useful here.

Question has been updated saying you've discounted the prospect of adding Match User or Match Group entries into /etc/ssh/sshd_config, because you want a user-specific config.

If you want certain users to be chrooted into their home directory, you could leverage group membership instead, such as this, specifically using Match Group and ChrootDirectory %h.

Match Group jailed
  Banner none
  ChrootDirectory %h
  PasswordAuthentication no
  AllowTcpForwarding yes
  X11Forwarding no
  AllowAgentForwarding no
  ForceCommand /bin/false

edited Aug 24 '18 at 21:59

answered Aug 24 '18 at 13:45

steve

21,582
5
48
75

Thanks, I've already seen this, but I'd like to avoid editing `/etc/sshd_config`, if possible. – ᴍᴇʜᴏᴠ Aug 24 '18 at 13:47
1

Can you please add the "*only used by the ssh client, on the machine initiating the ssh connection, so ignored by sshd*" part to your answer? (Because it actually answers.) If I attempt to do that, it'll probably be rejected by the mods – ᴍᴇʜᴏᴠ Aug 24 '18 at 18:51
As for the `Include` - I thought about it, and even tried it, unfortunately it doesn't work. I'll post some more info as an answer. – ᴍᴇʜᴏᴠ Aug 24 '18 at 18:52

score 1 · Answer 2 · edited Jun 11 '20 at 14:16

# sudo cat /home/user/.ssh/config
UPDATE I know about Match User and Match Group; the point is to have this in a user-specific config.

Something like ForceCommand works to limit what the user can do. That doesn't work well in a configuration file placed in the user's home directory, since they would almost certainly be able to change the configuration, or at least to make it inaccessible (e.g. mv ~/.ssh ~/.ssh_disabled).

Of course, .ssh/config is also the configuration for the SSH client, that is, it modifies what happens when you make an SSH connection out of that system. Restricting a user must necessarily happen on the server, and sshd_config is the only place where ForceCommand is documented to exist. Also, as you say, Include only exists for the client configuration, so your options are a) put the ForceCommand in the sshd_config of the machine with a suitable Match command, or b) don't put the ForceCommand anywhere.

Of course, you could put the SSH server's configuration together from distinct files with some external system, the simplest of which would be something like cat /etc/ssh/sshd_config.d/*.conf > /etc/ssh/sshd_config.

score 0 · Answer 3 · answered Aug 24 '18 at 19:03

First thing that comes to mind: use the Include directive.

However, it only works inside the /etc/ssh/ssh_config (ssh as a client), and when called in /etc/ssh/sshd_config (ssh as a server), throws a "Bad configuration option: include" error - apparently, it was only implemented for the client side

Problem is: the directives I need (such as ForceCommand) are for the server side, therefore ignored when added to ssh_config.

Put `ForceCommand` in a user-specific configuration file

3 Answers3