How to add sub ssh users on remote servers and restrict commands via sudoers file
How to create sub SSH users on remote servers and restrict commands via sudoers file
Synopsis:
This article describes how to create a sub ssh user ( "isotech" ) on a remote server ( configured with root as the Remote SSH Login user), limit the actions to running the commands tcpdump and to download files to the dir /home/solusvm/kvm/iso ) using wget.
%20(2).png)
Step1: Create Managed Sub SSH user “isotech”.
NOTE : Increase the PHP maximum execution time in seconds on the Gateway server. This directive max_execution_time would specifiy the maximum time in seconds that a PHP script is allowed to run before it’s terminated.
root@gateway ~# read -p "Enter new maximum execution time (e.g., 900): " time && sudo sed -i "s/^max_execution_time =.*/max_execution_time = $time/I" /etc/php/$(php -v | head -n 1 | awk '{print $2}' | cut -d. -f1,2)/cli/php.ini
root@gateway~# read -p "Enter new memory limit (e.g., 2G): " memory && sudo sed -i "s/^memory_limit =.*/memory_limit = $memory/I" /etc/php/$(php -v | head -n 1 | awk '{print $2}' | cut -d. -f1,2)/cli/php.ini
root@gateway~# systemctl restart apache2
1.a. Under sub ssh user > specify the username and Save it.
This will create the user “isotech” on all remote servers. (n number of servers.)
Step 2: Run the following commands via parallel shell to run in the sudoers file.
~# echo "isotech ALL=(ALL) NOPASSWD: /usr/bin/tcpdump" >> /etc/sudoers
2 .a. Check the syntax of sudoers file on remote servers.
~# visudo –c
Step 3 : Login to the SolosVM Masters server. Change the user home directory and grant permissions to the directory as shown below.
~# usermod -d /home/isotech/kvm/iso isotech ; chmod 777 /home/isotech/kvm/iso
Step 4 : Map the sub ssh user ”isotech” to ”SolosVM Masters GRP” server group and ”Junior Techs” UserGroup. This will ensure that the gateway users belonging to ”Junior Techs” would login to ”SolosVM Master server” as the non-privileged user ”isotech”.
Step 5 : Login to ezsh shell as ssh gateway user “tom” (“junior tech”) and login to a remote server (“SolusVM MastersRSV.com”) and run “tcpdump” / “wget" command to download the files.
Related Articles:
How to configure Role-Based Access Control?
How to grant Parallel Shell privilege for a user?