Today I needed to configure my personal machine for some VIM pairing and wanted to make the SSH connection restrictive in a way that the only thing my pair can do is get into a tmux section I create.

This article is a step-by-step guide on how I did it.

SSHD Config

Enable “Remote Login” on the “Sharing” pane of System Preferences.

The first thing we need to do is let the user ssh to your machine.

enable remote login

Change default SSHD port (Optional)

If you don’t want (or your ISP blocks) port 22, make the following change to /System/Library/LaunchDaemons/ssh.plist.

sshd_config change

And restart the daemon:

launchctl stop com.openssh.sshd
 	launchctl start com.openssh.sshd

User Creation

Create a regular user on the “Users & Groups” pane of System Preferences. We’ll assume a “johndoe” login name for the rest of this tutorial.

Setup Restrictions

Now we need to protect the system commands from execution by that user.

As root, cd into /Users/johndoe and create the following files.

~/.bashrc

#Resticted Shell
set -r

~/.bash_profile

# remove global environment
/usr/bin/env -

# set restricted path
PATH=/Users/johndoe/bin

# local bashrc sets restricted shell
if [ -f ~/.bashrc ]; then
    . ~/.bashrc
fi

# User specific environment and startup programs
export PATH
unset USERNAME

This will basically keep the user far from any system commands.

Next let’s be sure he doesn’t have write permission or own his home files:

chown root:staff *
chmod -R -w /Users/johndoe

Now is a good time to login with the user you created and check if everything is unavailable (play around with cd, ls, etc).

ssh johndoe@localhost -p 22022

Note: adjust the -p option according to your port choice. Default is 22.

Setup Allowed Commands

Finally we need to make some commands available for the guest user. Everything in /Users/johndoe/bin will be available for execution so be free to create as much links/scripts as you want:

cd /Users/johndoe/bin
ln -s /usr/bin/clear
ln -s /usr/bin/tmux

Note: these are just examples, adjust to your paths.

Pairing with tmux and VIM

Now with your regular user create a tmux session and invite your pair to ssh as the guest user you created. Once in, he’ll be able to attach to your tmux session.

If you don’t have tmux installed, I recommend installing it using Homebrew.

brew install tmux

If you are not familiar with tmux I recommend this article for a quick introduction:

http://blog.hawkhost.com/2010/06/28/tmux-the-terminal-multiplexer/
http://blog.hawkhost.com/2010/07/02/tmux-%E2%80%93-the-terminal-multiplexer-part-2/

Happy (sandboxed) pairing.

Cheers