Single command shell accounts

English: A Master padlock with "r00t"...

A Master padlock with “r00t” as password. (Photo credit: Wikipedia)

There are times when you will want a single purpose user account – an account that cannot get a shell, not can it do anything but run a single command. This can come in useful for a few reasons – for me, I use it to force an svn update on machines that can’t use user generated crontabs. Others have used this setup to allow multiple users run some arbitrary command, without giving them shell access.

Add the user

Add the user as you’d add any user. You’ll need a home directory, as I want to use ssh keys so I don’t need a password and it can be scripted from the master server.

 root@slave1# adduser restricteduser

Set the users password

Select a nice strong password. I like using $pwgen 32

 root@slave1# passwd restricteduser

Copy your ssh-key to the server

Some Linux distros don’t have the following command, in this case, contact your distro mailing list or Google.

 root@master# ssh-copy-id restricteduser@slave1

Lock out the user

Password lock out the user. This contradicts the above step, but it ensures that restricteduser can’t update their password.

 root@slave1# passwd -l restricteduser

Edit the sshd config

Depending on your system, this can be in a number of places. On Debian, it’s in /etc/ssh/sshd_config. Put it down the bottom.

 Match User restricteduser
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand /bin/foobar_command

Restart ssh

 root@slave1# service ssh restart

Add more ssh keys

Add any additional ssh key to /home/restricteduser/.ssh/authorized_keys



You can now ssh to the server as restricteduser, and the foobar_command will run. After it’s run, you’re logged out, with any output from foobar_command sent to the terminal.