Is there another way to restrict SSH user other than chroot jail?

289 views Asked by At

I need to create a safe environment for a foreign SSH user that has to have very restricted access to our server. That is:

  • can only execute commands that are allowed
  • can only use specific software that is allowed
  • must not be allowed to see/modify/remove folders and files outside of his/her root filesystem under any circumstances

I have tried using chroot jail before using the jailkit tool for a smaller project that did not need as much customization and it worked fine, but this project is much bigger and requires a lot more customization in terms of allowed software and commands.

The requirements for the safe environment are:

  • the ability to use basic commands such as ls, cd, grep etc.
  • the ability to run dotnet scripts
  • the ability to utilize running RabbitMQ broker (the broker is running OUTSIDE of the environment)
  • the ability to utilize running PostgreSQL database (the database is running OUTSIDE of the environment)

I have heard about multistrap or debootstrap but I am not sure whether these are adequate tools for solving my problem.

The servers are running on Debian OS v. 9 and 10. All the required software is installed in the root filesystem and is running fine. All I need is for the restricted user to be able to utilize it without being able to damage/corrupt the root filesystem.

My questions are:

  1. Are there any other useful (better) tools that I have not mentioned that could solve my problem?
  2. Are there any useful guides for the software I have mentioned that could solve my problem?
1

There are 1 answers

0
Ondřej Holík On BEST ANSWER

In case somebody is facing the same problem. I solved it using Docker container with separate SSH server and all required software installed on it.