Example SSH Command Restrictions Configuration

Use Case: Allowing Temporary Target Access to Debug a NGINX Problem

This example describes an imaginary use case where PrivX admin wants to grant a user temporary root access to a target server for debugging a nginx related problem.

Starting Point

Target host with SSH service and root account has been configured to PrivX. PrivX requires the target-admin-role to grant SSH access to the account. Normally the account is used only by trusted admin users for generic linux server administration.

The PrivX admin is requested to grant temporary root access to the target for a non-admin user, so that the user can debug problems with the nginx service.

Creating SSH Command Restrictions

To allow a user to debug nginx related problems, PrivX admin creates a strict SSH command whitelist that allows only the commands required to perform the task:

  • Name: nginx-mgmt-commands
  • Type: regex
  • Patterns:
^ls( [^<>]*)?$
^systemctl (status|start|stop|restart) nginx$
^(cat|more|zmore|tail|tail -f) /var/log/nginx/[^/<>]*$

PrivX admin verifies that the white list allows the required commands but no other commands using the Evaluate Patterns tool in PrivX UI.

Test Commands:

ls -al /etc/nginx
systemctl stop nginx
systemctl status nginx
more /var/log/nginx/access.log
ls > .bashrc
systemctl start foo
cat /etc/nginx/foo > /etc/sudoers
cat /etc/nginx/../../root/.ssh/*

Evaluation Results:

ls -al /etc/nginx: Allowed
systemctl stop nginx: Allowed
systemctl status nginx: Allowed
more /var/log/nginx/access.log: Allowed
ls > .bashrc: Not Allowed
systemctl start foo: Not Allowed
cat /etc/nginx/foo > /etc/sudoers: Not Allowed
cat /etc/nginx/../../root/.ssh/*: Not Allowed

PrivX Admin also creates a loose whitelist that allows target server admins to continue their work.

  • Name: allow-all-commands
  • Type: glob
  • Patterns:
**

Creating A Role For Temporary Access

PrivX admin creates a dedicated role with name target-nginx-mgmt-role for the temporary access use case.

Configuring Host Account

PrivX admin first adds the role target-nginx-mgmt-role to the host account roles and disables the File Transfers option under Service Options.

PrivX admin configures Command Restrictions for the root account:

  • Enable command restrictions: enabled
  • Command Whitelist: nginx-mgmt-commands
  • Rshell Terminal Banner: Welcome to PrivX restricted shell.
  • Rshell Variant: bash
  • Command Policies:
    • Allow Unmatched Commands: disabled
  • Additional Command Whitelists
    • Command Whitelist: allow-all-commands
    • Roles: target-admin-role

After saving these configuration changes SSH command restrictions are always used when opening a SSH connection to target host's root account. The allow-all-commands whitelist allows target server admins to continue their work.

Optionally PrivX admin may enable Session Recording for host.

Unless target host has been configured with delegated principals, target host configuration must be modified to accept certificate login for root account with target-nginx-mgmt-role.

Granting Temporary Access

To grant temporary access to the user PrivX admin grants to nginx-mgmt-role to the user.

Was this page helpful?