Skip to Content

Enforcing ssh login shell for ssh gateway users selectively in sshd_config file

336  admin July 25, 2024  Productivity & Efficiency Features, Security Features
Enforce login shell for SSH users in the sshd configuration file.
Overview: This article describes how to enforce the ezsh shell for SSH users, excluding root, ted, and ben, in the sshd_config file, followed by restarting the SSH service.
  • By default, the Ezeelogin gateway users are assigned the shell /usr/local/bin/ezsh however you may want the gateway users to have OS-level access ( /bin/bash shell ) when they log in via ssh. 
This article describes how to enforce a specific shell for SSH users:
Step 1: Identify Current Shell:
  • Determine the current shell assigned to the user by using the finger command.

root@jumpbox :~# finger ezadmin

                  Login: ezadmin        Name:

                  Directory: /home/ezadmin            Shell: /usr/local/bin/ezsh 

Step 2: Modify sshd_config:
Edit the sshd configuration file (/etc/ssh/sshd_config) on your gateway server:
  • You can force every user into the /usr/local/bin/ezsh shell and exclude selected users by having the following parameters included in the /etc/ssh/sshd_config file of the gateway box. Append the following lines to the config file and restart the config file to apply the made changes.

root@jumpbox :~# /etc/ssh/sshd_config

Match User !root,!ted,!ben,?*
ForceCommand /usr/local/bin/ezsh

root@jumpbox :~# service sshd restart 

  • In the above eg., it would enforce all the users to default to the shell /usr/local/bin/ezsh on ssh login except for the user's root, ted, ben.
This would be the recommended way as it improves security by denying a  /bin/bash shell for the SSH gateway users who do not need OS-level access on the gateway server and forcing them into the ezsh shell.
 
The users root, ted, and ben have been excluded hence would get OS-level access ( /bin/bash shell on ssh login)  and need to simply run the command ezsh to get the ezsh shell interface.

Adjust User Shell

To force the ezadmin user to the /bin/bash shell, run the following on the gateway box and exclude the user ezadmin in the /etc/ssh/sshd_config file only if ForceCommand parameters are in use.

root@jumpbox :~# chsh -s /bin/bash ezadmin.

Related Articles:
Changed settings when listening to a custom port.
Rating: 3.25 (4 Votes)