LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   SSH tunnel server, no shell but still able to change pw? (http://www.linuxquestions.org/questions/linux-security-4/ssh-tunnel-server-no-shell-but-still-able-to-change-pw-639301/)

humbletech99 05-02-2008 05:16 AM

SSH tunnel server, no shell but still able to change pw?
 
I have an SSH tunnel server that some people at work are using instead of a vpn since it's much nicer and simpler.

I don't want to give the users shells at all but I still want them to be able to change their own passwords.

At the moment, they just execute /bin/cat so their session stays open but they cannot get any shell or input any commands.

I am thinking about perhaps making chroots for them instead in which case they can have a shell that has basically no view or access to anything, but I still want them to be able to change their passwords, however if they are in a jail then they cannot get access to the /etc/ files to change their pw.

Any ideas?

blackhole54 05-02-2008 07:34 AM

It they authenticate with public key encryption then you can limit them to a specific command. Of course, then they will not need to change their password (I think)! But it will be more secure.

If you want to stay with passwaords, would it work to simply execute /usr/bin/passwd instead of /etc/cat? (I haven't tried this.) They would have to have the discipline to leave it alone during one of their "normal" (non password changing) sessions.

humbletech99 05-02-2008 08:38 AM

I thought of changing the shell to passwd but this bothers them every time and seems quite sucky to me.

We're going to stick with passwords for now, I don't want to bother the users with ssh keys

blackhole54 05-03-2008 12:56 AM

Quote:

Originally Posted by humbletech99 (Post 3139874)
I thought of changing the shell to passwd but this bothers them every time and seems quite sucky to me.

Do I understand correctly that normally they are just using ssh for port forwarding? If so, what if ssh is normally called with the -N option? And then don't use that option for the times when they do want to change the password. Under Linux you could create an alias for this. If perchance they are using PuTTY on a Microsoft system I believe there is an option in its "control panel" that does the same thing.

humbletech99 05-08-2008 05:11 AM

you are completely right of course. I recon I'll just integrate this system with AD to get around this though...


All times are GMT -5. The time now is 05:42 PM.