Environment: CentOS 7
I would like to have a solution where a service account can access a server in only these ways:
- ssh non-interactively via password or ssh key; that is, run commands or scripts (but running anything in /etc/shells will not be allowed)
- not ssh interactively
- regular users can su $serviceaccount or otherwise get an interactive shell
The purpose is to make users log in to the server as themselves, and then switch user, but also to allow the service account to interact with itself through scripted processes from other servers.
I have tried these steps already
- sshd_config no ttys
/etc/ssh/sshd_config:
Match User $serviceaccount
PermitTTY no
This one actually does nothing except prevent a nice-looking terminal. The user still gets an interactive shell.
- commands in ~/.authorized_keys
/home/serviceaccount/.ssh/authorized_keys:
command="/usr/local/bin/oneshellscripttorulethemall.sh" ssh-rsa AAAAAA....
Users can modify it, plus I cannot guarantee that every connection uses an ssh key.
- altering default shell in /etc/passwd
/etc/passwd
serviceaccount:x:1500:1500:service account:/home/serviceaccount:/sbin/nologin
/sbin/nologin: prevents all logins, except "sudo -su $serviceaccount"
/bin/false: fails out entirely
/bin/true: does not allow any activity at all
custom wrapper script: A custom script that checks for "$@" and reacts to it might be my only choice and I will continue experimentation. But it could get weird for the local users who su $serviceaccount.
- restrict logins from certain IPs (the other servers who are using the service account)
Users could just get a shell over there, and ssh in directly to an interactive shell.
In conclusion
I am interested in any and all attempts to meet the goals described above: Paid solutions, free solutions, hacky shell scripts, ssh config customization, custom default shells, wrapper scripts, etc. I would be pleased to see even partial answers, and I can bang away on adding the missing portions.
Is what I'm aiming for reasonable, or even possible?