I need to lock down a system so that a group of individuals can log into the server via ssh.
When they log into ssh I would like them to be presented with a screen session and locked down to that single application. This is so the application can continue to run in the background, while nothing else from the command line can be run.
Any ideas? Maybe there is a better solution than screen?
consider dtach if all you want is the ability to have processes persist over user sessions. dtach is simply the "detaching" part of tools like screen and tmux boiled down to one small utility.
Take a look at setting the command option to authorized keys (look in the sshd man page under AUTHORIZED_KEYS). If the users log in with a key configured this way, the command specified will be run instead of the user's shell or anything they may have entered on his or her ssh command line. You can either set it to run screen as you wanted, or merely the application in question.
Users can do pretty much anything once they enter screen. Ctrl-A
:screen /bin/sh
Enter and they have a shell; you can run screen as a different user and use:umask
to prevent that, but users will still be able to read and write files (:readbuf
,:writebuf
), run commands (:exec
), and so on.tmuxdtach is quite a lot simpler than screen.