Lshell instead of chroot ssh

Everyone often encounters the fact that, at times, the usual ftp developers are missing and you need to provide ssh access. Our clients sometimes ask for limited ssh access. We used to use chroot ssh, and setting it up is not the easiest task, but I recently met a great product, lshell.

Lshell - limited shell

User went, allowing you to easily and easily lock the user in the specified directories and limit the commands to be executed. It is in the CentOS and Debian repositories, you can install it like this:

yum install lshell 

 apt-get install lshell 

If there is a need for the latest version:

 wget https://github.com/ghantoos/lshell/releases/download/0.9.16/lshell-0.9.16.tar.gz tar xvfz lshell-0.9.16.tar.gz cd lshell-0.9.16 python setup.py install --no-compile --install-scripts=/usr/bin/ 

then it was enough to add it to the user

user: x: 502: 502 :: / home / user: / usr / bin / lshell

Configuration file

/etc/lshell.conf:

# lshell.py configuration file
#
# $ Id: lshell.conf, v 1.27 2010/10/18 19:05:17 ghantoos Exp $

[global]
## log directory (default / var / log / lshell /)
logpath: / var / log / lshell /
## set log level to 0, 1, 2, 3 or 4 (0: no logs, 1: least verbose,
## 4: log all commands)
loglevel: 2
## configure log file name (default is% u ie username.log)
#logfilename:% y% m% d-% u
#logfilename: syslog

## in case you are using syslog, you can choose your logname
#syslogname: myapp
')
[default]
## a PATH
allowed: ['ls', 'echo', 'cd', 'll']

## a list of forbidden character or commands
forbidden: [';', '&', '|', '' ','> ',' <',' $ (',' $ {']

## a list of commands to use with sudo (8)
#sudo_commands: ['ls', 'more']

## number of warnings when user enters a forbidden value before getting
## exited from lshell, set to -1 to disable.
warning_counter: 2

## command aliases list (similar to bash's alias directive)
aliases: {'ll': 'ls -l', 'vi': 'vim'}

## introduction text to print (when entering lshell)
#intro: "== My personal intro == \ nWelcome to lshell \ nType '?' or 'help' to get the list of allowed commands "

## configure your promt using% u or% h (default: username)
#prompt: "% u @% h"

## a value in seconds for the session timer
#timer: 5

## list of the space
#path: ['/ home / bla /', '/ etc']

## set the home folder of your user. If not specified the home_path is set to
## the $ HOME environment variable
#home_path: '/ home / bla /'

## update the environment variable $ PATH of the user
#env_path: ': / usr / local / bin: / usr / sbin'

## add environment variables
#env_vars: {'foo': 1, 'bar': 'helloworld'}

## allow or forbid the use of scp (set to 1 or 0)
#scp: 1

## forbid scp upload
#scp_upload: 0

## forbid scp download
#scp_download: 0

## allow of forbid the use of sftp (set to 1 or 0)
#sftp: 1

## list of command allowed to execute over ssh (eg rsync, rdiff-backup, etc.)
#overssh: ['ls', 'rsync']

## logging strictness. If set to 1, any unknown command is considered as
## forbidden, and user's warning counter is decreased. If set to 0, command is
## considered as unknown, and user is only warned (ie *** unknown synthax)
#strict: 1

## force files scp sent to a specific directory
#scpforce: '/ home / bla / uploads /'

## history file maximum size
#history_size: 100

## set history file name (default is /home/%u/.lhistory)
#history_file: "/home/%u/.lshell_history"

As you can see, the default configuration file is divided into the global [global] section and the default section [default]. It is also possible to set the configuration for a specific user: [user]
the settings specified in the user section have a higher priority compared to the [default] section
Consider an example section for a user:

[user]
allowed: ['ls', 'echo', 'cd', 'll', 'cp', 'mv']
strict: 1
warning_counter: 2
#timer: 5
path: ['/ var / www / site1', '/ var / www / site2']
#allowed_cmd_path: ['/ home / user / bin']
scp: 1
sftp: 1
overssh: ['ls', 'rsync']

allowed - allowed commands
warning_counter - the number of prohibited actions before the user is thrown out of the terminal (works if strict is only enabled)
timer - timeout in seconds after which the user will be thrown out of the terminal
path - directories that are allowed to visit the user, in addition to home
allowed_cmd_path - directories in which the user is allowed to run executable files
scp - disable or allow the user to use scp
sftp - disable or allow sftp user
overssh - List of allowed commands that the user is allowed to use by sending them via ssh

The only significant flaw that I discovered is a bug in which the design:

 cd / && <> 

gives an error message. For example:

 user:~$ cd /home/user && ls lshell: /home/user && ls: No such file or directory 

The developer promised to fix this bug.

References:

Product page at github.com