I have to secure a Linux server that is managed by netconf over ssh. The netconf process is started by configured ssh subsystem and it works correctly. My question is about prohibiting netconf-only accounts from executing any other function from ssh command line: e.g I would like ‘ssh email@example.com ls’ to fail.
My current plan is to use rbash as the shell and then tighten up the config. I am wondering are there easier solutions, e.g. can I set shell to be /usr/sbin/nologin or /usr/bin/true?