I don't think you have it quite right. ssh is just the connection to the server. You can limit who logs on with ssh (disable root user or only allow specific users to log on for example). However, once the user logs on, if you want to limit what the user does, you'll have to do that on the server side by limiting accounts. I've seen things like the wheel account (posted above), and even such things as to chmod the 'su' command so that only root has rights to run it. Nevertheless, you can't change command permissions with an ssh config. You can only change who gets on.
Well, that would (I believe) in the end require building a unique shell for the user to log into. Perhaps easier is to have a look at PAM and how to configure. There's a way to disable 'su' in the /etc/pam.d/su file I believe. I never messed with it myself, but it could be a start. Here's something I found that might be helpful:
Are you looking possibly to set up a Linux type jail where certainusers are logged into a jailed ddirectory tree and can only perform a limited set of commands?
I think this should work
You see where it saysCode:sudo groupadd nosu sudo nano /etc/pam.d/su
remove the '#' so that it looks likeCode:#auth required pam_wheel.so deny group=nosu
Save the file by pressing Control+XCode:auth required pam_wheel.so deny group=nosu
now for any user you don't want to allow to su...
Never tried it, but you can chroot using a livecd if it screws upCode:sudo usermod -a -G nosu username
Last edited by sandyd; December 13th, 2012 at 03:53 AM.
Don't waste your energy trying to change opinions ... Do your thing, and don't care if they like it.