[X2Go-User] Questions regarding features and configuration advice of X2go
Ulrich Sibiller
uli42 at gmx.de
Mon Dec 20 16:53:44 CET 2021
On Mon, Dec 20, 2021 at 4:14 PM richard lucassen
<mailinglists at lucassen.org> wrote:
>
> On Mon, 20 Dec 2021 12:15:01 +0100
> Stefan Baur <X2Go-ML-1 at baur-itcs.de> wrote:
>
> > In short: forget about it. If you're allowing users SSH access for
> > X2Go, they WILL be able to copy data. You can make it a little harder
> > for them if you think you have to, but as long as they are in control
> > of the client hardware, they will always be able to do so.
>
> I have no complete answer to it, but if you use keys instead of
> user/pass then you will be able to restrict ssh in
> ~/.ssh/authorized_keys
>
> from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty
> ssh-rsa <key>
>
> (all in 1 line)
>
> This is an example of what I use here, I think there must be many other
> options available.
Although I only have used it with keys so far it seems not to be
restricted to keys only, see man sshd_config:
ForceCommand
Forces the execution of the command specified by
ForceCommand, ignoring any command supplied by the client and
~/.ssh/rc if present. The command is invoked by using the user's
login shell
with the -c option. This applies to shell, command, or
subsystem execution. It is most useful inside a Match block. The
command originally supplied by the client is available in the
SSH_ORIGINAL_COMMAND environment variable. Specifying a
command of internal-sftp will force the use of an in-process SFTP
server that requires no support files when used with
ChrootDirectory. The default is none.
Uli
More information about the x2go-user
mailing list