I search an efficient way to restrict ssh connections to only run a specific command. It is intended to be used automaticaly. Say the user name is "check" and the command is "ps", and used by a remote monitoring host.
If I only modify the shell into /etc/passwd to be "ps", then anyone able to ssh to this host with "check" as username will be able to ask ssh to launch another shell or whatever he want. Even scp and port forwarding are accessible because they are standard feature of sshd. And because the regular users of this computer have to use them. I then can't disable them.
1 - is there anything I can do to restrict this user "check" to only run "ps" with ssh ?
2 - if I launch a second sshd (with a different configuration file of course, and a different listening port), what can I do to fully restrict this user ?
3 - ... or a better idea ? :-)
Remove him from the group users and allow him to only execute that program.