这是一种安全性的想法.我们的员工应该可以访问Linux服务器上的某些命令,但不能全部访问.他们应例如可以访问日志文件(less logfile)或启动其他命令(shutdown.sh/run.sh).
This is a idea for a security. Our employees shall have access to some commands on a linux server but not all. They shall e.g. have the possibility to access a log file (less logfile) or start different commands (shutdown.sh / run.sh).
背景信息:
所有员工都使用相同的用户名访问服务器:我们的产品以普通"用户权限运行,不需要安装".只需将其解压缩到您的用户目录中并运行它即可.我们管理安装"应用程序的多台服务器.在每台计算机上都有一个用户johndoe.我们的员工有时需要在命令行上访问该应用程序,以访问和检查日志文件或手动重新启动该应用程序.只有某些人具有完全的命令行访问权限.
All employees access the server with the same user name: Our product runs with "normal" user permissions, no "installation" is needed. Just unzip it in your user dir and run it. We manage several servers where our application is "installed". On every machine there is a user johndoe. Our employees sometimes need access to the application on command line to access and check log files or to restart the application by hand. Only some people shall have full command line access.
我们正在服务器上使用ppk身份验证.
We are using ppk authentication on the server.
如果employee1只能访问日志文件,而employee2也可以执行X等操作,那就太好了……
It would be great if employee1 can only access the logfile and employee2 can also do X etc...
解决方案: 作为解决方案,我将使用接受的答案中所述的command选项.我将制作自己的小Shell脚本,它将是唯一可以为 some 员工执行的文件.该脚本将提供几个可以执行的命令,但没有其他命令.我将在authorized_keys中从此处中使用以下参数:
Solution: As a solution I'll use the command option as stated in the accepted answer. I'll make my own little shell script that will be the only file that can be executed for some employees. The script will offer several commands that can be executed, but no others. I'll use the following parameters in authorized_keys from as stated here:
command="/bin/myscript.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host这对我们来说足够安全.谢谢,社区!
This is enough security for us. Thanks, community!
推荐答案您还可以将键限制为允许的命令(在authorized_keys文件中).
You can also restrict keys to permissible commands (in the authorized_keys file).
即用户将不会通过ssh登录,然后只有一组受限制的命令,而只能通过ssh执行这些命令(例如"ssh somehost bin/showlogfile")
I.e. the user would not log in via ssh and then have a restricted set of commands but rather would only be allowed to execute those commands via ssh (e.g. "ssh somehost bin/showlogfile")
更多推荐
登录后如何将SSH用户限制为一组预定义的命令?
发布评论