Jailed SSH for commands

Is it possible to give user jailed ssh access which can be used to login with password? Users need to launch some commands via cli for symfony, laravel etc.

Hello @culibine,

Just select a shell instead of nologin in SSH Access user’s advanced options: Users | Hestia Control Panel


Aha. Is it safe? I mean does the user will not be able to install his own packages or go outside his home dir?

If you give ssh access the user won’t be jailed so the user could check all the dirs/files of the system (if the user has perms, of course).

Hmmm, any solution for that? Jailed ssh would be insanely good. Limited set of commands.

As far as I know, there were plans to integrate GNU Rush to Hestia but seems there is no much time on devs side.

Also, I think @eris was integrating a terminal to be accessed via web ui but don’t know more info about it.

Nah, eris is occupied enough to bake in such massive features as RUSH. Probably Inwill manage to creqte some bash abomination script to handle rush enable.

1 Like

It was not me … But it is working 1.9 how ever it doesn’t provide a jailed environment …

1 Like

What it provides? Limited set of commands?

Full access … to the server same as the current bash setting…

Today I have tested GNU RUSH setup and holy sh** it is convoluted and with 0 info on google except documentation. A true, valid nightmare.

My second thought was jailed SSH. Just like this: https://linuxconfig.org/jail-ssh-user-to-home-directory-on-linux

Does the hestiacp team considered this approach?

I found this vestacp modification:

Is this something possible to do in hestiacp? Is it possible to create custom v- scripts in /bin of hestia? I think those scripts would be overwritten on next update…

I have not tested it it should be possible but we made a lot of changes since then…

How about custom version of v- scripts? Is there any “/bin/custom” type of support to overwrite original v- scripts?

Just just the /bin/ folder but make sure the names are unique.

Start with a test server and see if it works…