hi,
I have ssh connection between two servers for a functional Id for SFTP purpose.
I aim is to setup this for is only work when below command is used by a .ksh script.
ssh userid@servername:/directory
Unfortunately users who have access to functional id are manually using above command and start moving files between these two servers. I want to restrict this manual login and activate only for scripts that contains above command.
Please advise
Thanks.
You have to specify ChrootDirectory in /etc/ssh/sshd_config which will be chroot-ed during an sftp session. You may make this as the home directory for the "functional ID" (shared ID I suppose).
ChrootDirectory=/directory
So my understanding of your question is that you want to have passwordless ssh command only work if its invoked by a particular script?
Really, the only reasonable way I can think to do that is:
1) push the passwordless ability to some other user
2) have that script be invoked via a sudo to that user and only that script.
That would get you to the point where you would do something like:
sudo -iu newUser /path/to/script.ksh
Ultimately, it's about removing the shared account's ability to directly use the public/private key associated with the remote login. Whether that involves pushing the passwordless functionality to a different user and just control who can run the script as the newer user (as described above) or leaving it in place and having people use a different shared account, that's what needs to happen.