Hi List, I am looking for an option for sshd to start user's shell (when logging in interactively to a remote host) in a control group via cgexec - so for example: /bin/cgexec -g <username> /bin/bash This would be extremely handy on linux Terminal servers to control users access to the system resources (protect system from a malicious user hogging the machine by running cpu/memory intensive applications). Is something like that possible to achieve? Thanks, Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18
On Fri, Jun 01, 2012 at 02:50:41 -0500, Ondrej Valousek wrote:> Hi List, > > I am looking for an option for sshd to start user's shell (when logging in interactively to a remote host) in a control group via cgexec - > so for example: > > /bin/cgexec -g <username> /bin/bash > > This would be extremely handy on linux Terminal servers to control users access to the system resources (protect system from a malicious > user hogging the machine by running cpu/memory intensive applications). > > Is something like that possible to achieve? > Thanks, > > Ondrej >Hello, Unfortunately, OpenSSH doesn't support aa option which could handle this. The closest would be the ForceCommand option, but it does not have the flexibility you need and the command is invoked with the user's shell. Something which I have been contemplating submitting as a feature enhancement is a ForceShell option. The original motivation was to provide a means of overriding a user's shell from withing an sshd_config(5) Match block. This could be used to conditionally force the user's shell to something like authpf, scponly, mesh etc. If the option supported macros such as %u (for the username) and %s (for the user's original shell), it would probably meet your needs. However, this only exists as a concept. I have not cut any code for this and It will probably be a few months before I have an opportunity to do so. And, since this is the first time I have mentioned this on the list, I have no idea whether such a feature would be of interest to the developers. -- Iain Morgan
Hi, On Fri, Jun 1, 2012 at 9:50 AM, Ondrej Valousek <ondrejv at s3group.com> wrote:> Hi List, > > I am looking for an option for sshd to start user's shell (when logging in > interactively to a remote host) in a control group via cgexec - so for > example: > > /bin/cgexec -g <username> /bin/bash > > This would be extremely handy on linux Terminal servers to control users > access to the system resources (protect system from a malicious user hogging > the machine by running cpu/memory intensive applications).Shouldn't this be handles by PAM. A quick search reveals this: http://fedoraproject.org/wiki/Features/ControlGroups Bert> > Is something like that possible to achieve? > Thanks, > > Ondrej >