Facebook Twitter Instagram
    TecAdmin
    • Home
    • FeedBack
    • Submit Article
    • About Us
    Facebook Twitter Instagram
    TecAdmin
    You are at:Home»Linux Tutorials»How to Restrict SSH Access for User with LShell (Limited Shell)

    How to Restrict SSH Access for User with LShell (Limited Shell)

    By RahulOctober 29, 20152 Mins Read

    LShell or Limited Shell is written in python for limiting user for specific set of commands and directories. You can create user environment with limited access, you can also enable disable commands over SSH access.

    Advertisement

    Install Limited Shell

    Use the following command to install LShell package on your Debian based system. For other operating system, You need to Google for package of lshell for your distribution.

    $ sudo apt-get install lshell
    

    Switch User to LShell

    Now set the LShell as default shell for users for which you are required. For example to change the shell of user sarah.

    $ sudo chsh sarah
    
    Changing the login shell for sarah
    Enter the new value, or press ENTER for the default
    	Login Shell [/bin/lshell]: /usr/bin/lshell 
    

    You may also set the lshell as default shell for user during creation of user account as following.

    $ sudo adduser --shell /usr/bin/lshell raj
    

    Configure LShell

    Now start with the configuration of lshell. Edit lshell configuration file /etc/lshell.conf. There are 4 basic sections in configuration file.

    • [global] : In this section we defines the settings which applied globally. For example logs.
    • [default] : In this section we set default values which applied all users and groups. The settings of this section can be overridden with user and group specific settings.
    • [USERNAME] : In this section we specify user specific settings. This section settings applied to user only
    • [grp:GROUPNAME] : In this section we specify group specific settings. This section settings applied to all users of group

    A [default] profile is applied for all users using lshell. You can create [username] section or a group [grp:groupname] section to customize users and group specific preferences.

    The priority order is User >> Group >> Default. User section has highest priority and Default has lowest priority.

    [global]
    logpath         : /var/log/lshell/
    loglevel        : 2
    
    [default]
    allowed         : ['ls','pwd','cd','cat','cp']
    forbidden       : [';', '&', '|','`','>','<', '$(', '${']
    sudo_commands   : ['ls', 'more']
    warning_counter : 2
    aliases         : {'ll':'ls -l', 'vim':'rvim'}
    prompt          : "%[email protected]%h"
    timer           : 0
    path            : ['/home', '/usr']
    env_path        : ':/usr/bin/usr/local/bin'
    env_vars        : {'foo':1, 'bar':'helloworld'}
    scp             : 1 # or 0
    sftp            : 1 # or 0
    overssh         : ['rsync','ls']
    strict          : 0
    history_file    : "/home/%u/.lshell_history"
    
    [grp:wheel]
    warning_counter : 5
    overssh         : - ['ls']
    
    [raj]
    allowed         : 'all' - ['su','rm','mv']
    path            : ['/etc', '/usr'] - ['/usr/local']
    home_path       : '/home/raj'
    
    [sarah]
    allowed         : + ['ping'] - ['ls']
    path            : - ['/usr/local']
    strict          : 1
    scpforce        : '/home/sarah/uploads/'
    

    For example User ‘rja’ and user ‘sarah’ both belong to the ‘wheel’ UNIX group:
    Group wheel:

    • Users of wheel group has a warning counter set to 5
    • Users of wheel group is not allowed ‘ls’ command.

    User raj:

    • Can access /etc and /var but not /usr/local
    • Can access all commands in his PATH execpt commands – su, rm, vm
    • has a warning counter set to 5 [default]
    • has his home path set to ‘/home/raj’

    User sarah:

    • Can access /home and /usr but not /usr/local
    • is allowed default command ‘ping’ but not ‘ls’
    • strictness is set to 1 (he is not allowed to type an unknown command)
    Option nameExplanation
    logpath log directory (default /var/log/lshell/ )
    loglevel set log level to 0, 1, 2, 3 or 4 (0: no logs, 1: least verbose, 4: log all commands)
    logfilename configure log file name (default is %u i.e. username.log)
    allowed list of the allowed commands or ‘all’ to allow all commands in user’s PATH
    forbidden a list of forbidden character or commands — deny vim, as it allows to escape lshell
    sudo_commands a list of allowed command to use with sudo(8)
    warning_counter number of warnings when user enters a forbidden value before getting exited from lshell, set to -1 to disable.
    aliases command aliases list (similar to bash’s alias directive)
    intro introduction text to print (when entering lshell)
    prompt configure your promt using %u or %h (default: username)
    prompt_short set sort prompt current directory update (default: 0)
    timer a value in seconds for the session timer
    path list of path to restrict the user “geographicaly”
    home_path set the home folder of your user
    env_path set the environment variable $PATH of the user
    allowed_cmd_path a list of path; all executable files inside these path will be allowed
    env_vars add environment variables
    scp allow or forbid the use of scp (set to 1 or 0)
    scp_upload forbid scp upload
    scp_download forbid scp download
    sftp allow of forbid the use of sftp (set to 1 or 0)
    overssh list of command allowed to execute over ssh
    strict logging strictness. 1 for any unknown command is considered as forbidden and 0 as unknown
    scpforce force files sent through scp to a specific directory
    history_size history file maximum size
    history_file set history file name (default is /home/%u/.lhistory)
    login_script define the script to run at user login

    limited shell lshell Restricted Shell
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email WhatsApp

    Related Posts

    Understanding 2>&1 in Bash: A Beginner’s Guide

    How to Choose the Best Shebang (#!) for Your Shell Scripts

    How to block bad bots using .htaccess

    View 3 Comments

    3 Comments

    1. SASI on March 28, 2019 12:30 pm

      Thank you

      Reply
    2. Marc Q on December 28, 2018 1:46 pm

      I have debian 9 and apt-get install lshell return a package not found. What is the other option to install lshell?

      Reply
    3. A.M on June 8, 2017 5:08 am

      Thanks for this article! How to change the default shell of a group?
      chsh groupname doesn’t work.

      Reply

    Leave A Reply Cancel Reply

    Advertisement
    Recent Posts
    • How to List Manually Installed Packages in Ubuntu & Debian
    • 10 Bash Tricks Every Developer Should Know
    • How to Validate Email Address in JavaScript
    • Firewalld: Common Firewall Rules and Commands
    • 12 Apk Commands in Alpine Linux Package Management
    Facebook Twitter Instagram Pinterest
    © 2023 Tecadmin.net. All Rights Reserved | Terms  | Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.