Solved Courtesy of somidscr21
# These lines to disable X11Forwarding no AllowTcpForwarding no othersshOptions yes evenmoreOptions no whateverElse yes # This to enable for a group Match Group X11AllowedGroup X11Forwarding yes AllowTcpForwarding yes ## OR ## # Or this to enable for a user Match User johndoetheuser X11Forwarding yes AllowTcpForwarding yes Goal I would like to set it up so that when some users SSH into a Linux machine they are unable to run a specific command. We want to restrict it remotely for them but not locally on the console. However, we do want to allow one user (an administrator) to be able to run this command remotely and locally.
Side note This command does require the GUI so maybe that opens up some options on limiting it.
I looked into the following so far
- X11Forwarding options in sshd_config to disable the command in sshd_config. Seems like a kludge and it doesn't work. This is an all or nothing option. Unless I am mistaken.
- In sshd_config per user limitation is based only on keys which we can't use on this system setup (has to be password authentication). Seems I can't use that either.
- VNC may be the right answer to allow the special user access while denying sshd_config from X11 Forwarding for the others.
Question Do you have any suggestions or ideas on how I can accomplish this?
Edit: Additional Parameters This is a research software called "vnmrj" and is used by researchers to interface and gather data from an instrument. There is an accounting script that runs on login which they have to enter funding codes into but that doesn't run via SSH (KDE something or other written by someone else). Hence we want to prevent the command running remotely except for the one user.
Thanks
[link][36 comments]