[X2Go-User] restricting arbitrary ssh commands

[Kris Ilowiecki]

Hello Everyone,

I am trying to figure out a way to have X2Go work without
giving the user ssh access to the server.

The approach I have taken is to use XDMCP.
I have created a new 'switcher' user on the server,
who connects with ssh keys and launches XDMCP where
the real user can authenticate.

However, I have problems restricting the access of this
initiating 'switcher' user.
I thought it would be enough to allow him to run
x2gostartagent with the ssh key, i.e.
command="/usr/bin/x2gostartagent ${SSH_ORIGINAL_COMMAND#* }" ssh-rsa...

However, on closer inspection with acct I have noticed that
there are several commands run before x2gostartagent,
apparently including several instances of bash.

Is bash used directly, or would restricting ssh commands to
x2gopath, x2gosyslog, x2gostartagent, (...?) work?

Or would it be possible to put 'switcher' in a chroot jail, and then
have the XDMCP-authenticated user outside of it?

 From what I can see, NX3.5 approached this by encapsulating everything
in nxserver, which was then set in /etc/passwd as the shell of
the nx user.

The goal is to prevent the user from executing arbitrary commands,
in particular initiating data transfers.

Any ideas or comments most appreciated

Many thanks,
Kris