Stitch Documentation
has moved!

Please update your bookmarks to

If you're not automatically redirected after 5 seconds, click here.

Restricting Access to Your Database

When we create an SSH tunnel to your server, there's no need for Stitch to have access to anything but the database. If you don't want us to have full access to the server that houses your database, you can restrict access by forcing the Stitch Linux user into a restricted bash shell.

You may have guessed from the name, but a restricted bash shell is used to set up an environment more controlled than the standard shell. The important thing about this type of shell is that restricted shell users can't access system functions or make any kind of modifications.

Retrieving the Stitch Public Key

The Stitch Public Key can be found on the credentials page for the database you're using. This is accessed by:

  1. From the Stitch dashboard page, click the Add an Integration button.
  2. Click the icon - for example, MySQL - of the database you're using.
  3. In the credentials page, click the Encryption Type menu.
  4. Click the SSH Tunnel option. The SSH fields, along with the Stitch Public Key, will display.

Keep this page open, as you'll need it in the next step.

Restricting the Stitch Linux User

To restrict the Stitch Linux user, you'll need to do two things:

  1. Change the PATH environment variable to be the empty string. This means the user won't be able to access system executables.
  2. Make sure that the shell executed is 'bash -r'

Both of these can be done inside the authorized_keys file in the user's home dir/.ssh directory as part of the command that is executed when the user logs in. It will look something like this:

... other keys ...
command="env PATH="" /bin/bash -r" < [stitch public key goes here] >
... other keys ...

Once this is complete, the user you created for Stitch won't have the ability to make any changes to your system.

Was this article helpful?
0 out of 0 found this helpful


Questions or suggestions? If something in our documentation is unclear, let us know in the comments!