There are times when you will want a single purpose user account – an account that cannot get a shell, not can it do anything but run a single command. This can come in useful for a few reasons – for me, I use it to force an svn update on machines that can’t use user generated crontabs. Others have used this setup to allow multiple users run some arbitrary command, without giving them shell access.
Add the user
Add the user as you’d add any user. You’ll need a home directory, as I want to use ssh keys so I don’t need a password and it can be scripted from the master server.
root@slave1# adduser restricteduser
Set the users password
Select a nice strong password. I like using $pwgen 32
root@slave1# passwd restricteduser
Copy your ssh-key to the server
Some Linux distros don’t have the following command, in this case, contact your distro mailing list or Google.
root@master# ssh-copy-id restricteduser@slave1
Lock out the user
Password lock out the user. This contradicts the above step, but it ensures that restricteduser can’t update their password.
root@slave1# passwd -l restricteduser
Edit the sshd config
Depending on your system, this can be in a number of places. On Debian, it’s in /etc/ssh/sshd_config. Put it down the bottom.
Match User restricteduser AllowTCPForwarding no X11Forwarding no ForceCommand /bin/foobar_command
root@slave1# service ssh restart
Add more ssh keys
Add any additional ssh key to /home/restricteduser/.ssh/authorized_keys
You can now ssh to the server as restricteduser, and the foobar_command will run. After it’s run, you’re logged out, with any output from foobar_command sent to the terminal.