Example SSH Command Restrictions Configuration
Use Case: Allowing Temporary Target Access to Debug a NGINX Problem
This example describes an imaginary use case where PrivX admin wants to grant a user temporary root access to a target server for debugging a nginx related problem.
Starting Point
Target host with SSH service and root
account has been configured to PrivX. PrivX requires the target-admin-role
to grant SSH access to the account. Normally the account is used only by trusted admin users for generic linux server administration.
The PrivX admin is requested to grant temporary root
access to the target for a non-admin user, so that the user can debug problems with the nginx service.
Creating SSH Command Restrictions
To allow a user to debug nginx related problems, PrivX admin creates a strict SSH command whitelist that allows only the commands required to perform the task:
- Name:
nginx-mgmt-commands
- Type:
regex
- Patterns:
^ls( [^<>]*)?$
^systemctl (status|start|stop|restart) nginx$
^(cat|more|zmore|tail|tail -f) /var/log/nginx/[^/<>]*$
PrivX admin verifies that the white list allows the required commands but no other commands using the Evaluate Patterns tool in PrivX UI.
Test Commands:
ls -al /etc/nginx
systemctl stop nginx
systemctl status nginx
more /var/log/nginx/access.log
ls > .bashrc
systemctl start foo
cat /etc/nginx/foo > /etc/sudoers
cat /etc/nginx/../../root/.ssh/*
Evaluation Results:
ls -al /etc/nginx: Allowed
systemctl stop nginx: Allowed
systemctl status nginx: Allowed
more /var/log/nginx/access.log: Allowed
ls > .bashrc: Not Allowed
systemctl start foo: Not Allowed
cat /etc/nginx/foo > /etc/sudoers: Not Allowed
cat /etc/nginx/../../root/.ssh/*: Not Allowed
PrivX Admin also creates a loose whitelist that allows target server admins to continue their work.
- Name:
allow-all-commands
- Type:
glob
- Patterns:
**
Creating A Role For Temporary Access
PrivX admin creates a dedicated role with name target-nginx-mgmt-role
for the temporary access use case.
Configuring Host Account
PrivX admin first adds the role target-nginx-mgmt-role
to the host account roles and disables the File Transfers option under Service Options.
PrivX admin configures Command Restrictions for the root
account:
- Enable command restrictions: enabled
- Command Whitelist:
nginx-mgmt-commands
- Rshell Terminal Banner:
Welcome to PrivX restricted shell.
- Rshell Variant:
bash
- Command Policies:
- Allow Unmatched Commands: disabled
- Additional Command Whitelists
- Command Whitelist:
allow-all-commands
- Roles:
target-admin-role
- Command Whitelist:
After saving these configuration changes SSH command restrictions are always used when opening a SSH connection to target host's root
account. The allow-all-commands
whitelist allows target server admins to continue their work.
Optionally PrivX admin may enable Session Recording for host.
Unless target host has been configured with delegated principals, target host configuration must be modified to accept certificate login for root
account with target-nginx-mgmt-role
.
Granting Temporary Access
To grant temporary access to the user PrivX admin grants to nginx-mgmt-role
to the user.