Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

ssh & control groups

 

 

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


ondrejv at s3group

Jun 1, 2012, 12:50 AM

Post #1 of 4 (531 views)
Permalink
ssh & control groups

Hi List,

I am looking for an option for sshd to start user's shell (when logging in interactively to a remote host) in a control group via cgexec -
so for example:

/bin/cgexec -g <username> /bin/bash

This would be extremely handy on linux Terminal servers to control users access to the system resources (protect system from a malicious
user hogging the machine by running cpu/memory intensive applications).

Is something like that possible to achieve?
Thanks,

Ondrej

The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications [at] s3group
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


imorgan at nas

Jun 1, 2012, 10:02 AM

Post #2 of 4 (497 views)
Permalink
Re: ssh & control groups [In reply to]

On Fri, Jun 01, 2012 at 02:50:41 -0500, Ondrej Valousek wrote:
> Hi List,
>
> I am looking for an option for sshd to start user's shell (when logging in interactively to a remote host) in a control group via cgexec -
> so for example:
>
> /bin/cgexec -g <username> /bin/bash
>
> This would be extremely handy on linux Terminal servers to control users access to the system resources (protect system from a malicious
> user hogging the machine by running cpu/memory intensive applications).
>
> Is something like that possible to achieve?
> Thanks,
>
> Ondrej
>

Hello,

Unfortunately, OpenSSH doesn't support aa option which could handle
this. The closest would be the ForceCommand option, but it does not have
the flexibility you need and the command is invoked with the user's
shell.

Something which I have been contemplating submitting as a feature
enhancement is a ForceShell option. The original motivation was to
provide a means of overriding a user's shell from withing an
sshd_config(5) Match block. This could be used to conditionally force
the user's shell to something like authpf, scponly, mesh etc. If the
option supported macros such as %u (for the username) and %s (for the
user's original shell), it would probably meet your needs.

However, this only exists as a concept. I have not cut any code for this
and It will probably be a few months before I have an opportunity to do
so. And, since this is the first time I have mentioned this on the list,
I have no idea whether such a feature would be of interest to the
developers.

--
Iain Morgan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


bert.wesarg at googlemail

Jun 1, 2012, 11:34 AM

Post #3 of 4 (495 views)
Permalink
Re: ssh & control groups [In reply to]

Hi,

On Fri, Jun 1, 2012 at 9:50 AM, Ondrej Valousek <ondrejv [at] s3group> wrote:
> Hi List,
>
> I am looking for an option for sshd to start user's shell (when logging in
> interactively to a remote host) in a control group via cgexec - so for
> example:
>
> /bin/cgexec -g <username> /bin/bash
>
> This would be extremely handy on linux Terminal servers to control users
> access to the system resources (protect system from a malicious user hogging
> the machine by running cpu/memory intensive applications).

Shouldn't this be handles by PAM. A quick search reveals this:

http://fedoraproject.org/wiki/Features/ControlGroups

Bert

>
> Is something like that possible to achieve?
> Thanks,
>
> Ondrej
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


ondrejv at s3group

Jun 4, 2012, 2:48 AM

Post #4 of 4 (490 views)
Permalink
Re: ssh & control groups [In reply to]

On 06/01/2012 08:34 PM, Bert Wesarg wrote:
> Shouldn't this be handles by PAM. A quick search reveals this:
>
> http://fedoraproject.org/wiki/Features/ControlGroups
>
> Bert
Hi,
Thanks for the tip. Installing libcgroup-pam did the job, indeed!
The only remaining thing is the Control group creation upon user login - and that one I can obviously handle with pam_exec.so

Thanks all,
Ondrej

The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications [at] s3group
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.