LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-02-2008, 05:16 AM   #1
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Rep: Reputation: 30
SSH tunnel server, no shell but still able to change pw?


I have an SSH tunnel server that some people at work are using instead of a vpn since it's much nicer and simpler.

I don't want to give the users shells at all but I still want them to be able to change their own passwords.

At the moment, they just execute /bin/cat so their session stays open but they cannot get any shell or input any commands.

I am thinking about perhaps making chroots for them instead in which case they can have a shell that has basically no view or access to anything, but I still want them to be able to change their passwords, however if they are in a jail then they cannot get access to the /etc/ files to change their pw.

Any ideas?
 
Old 05-02-2008, 07:34 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
It they authenticate with public key encryption then you can limit them to a specific command. Of course, then they will not need to change their password (I think)! But it will be more secure.

If you want to stay with passwaords, would it work to simply execute /usr/bin/passwd instead of /etc/cat? (I haven't tried this.) They would have to have the discipline to leave it alone during one of their "normal" (non password changing) sessions.
 
Old 05-02-2008, 08:38 AM   #3
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Original Poster
Rep: Reputation: 30
I thought of changing the shell to passwd but this bothers them every time and seems quite sucky to me.

We're going to stick with passwords for now, I don't want to bother the users with ssh keys

Last edited by humbletech99; 05-02-2008 at 08:39 AM.
 
Old 05-03-2008, 12:56 AM   #4
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by humbletech99 View Post
I thought of changing the shell to passwd but this bothers them every time and seems quite sucky to me.
Do I understand correctly that normally they are just using ssh for port forwarding? If so, what if ssh is normally called with the -N option? And then don't use that option for the times when they do want to change the password. Under Linux you could create an alias for this. If perchance they are using PuTTY on a Microsoft system I believe there is an option in its "control panel" that does the same thing.
 
Old 05-08-2008, 05:11 AM   #5
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Original Poster
Rep: Reputation: 30
you are completely right of course. I recon I'll just integrate this system with AD to get around this though...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
access ssh tunnel (on server) from network ghostwriter78 Linux - Networking 13 11-02-2007 03:33 PM
setting up an ssh soxy or local ssh tunnel from within an ssh soxy Mangenius Linux - Networking 0 03-05-2007 03:15 PM
how to change ssh tunnel source ip firewireee Linux - Server 1 01-07-2007 03:21 AM
SSH Tunnel - need some help on this MeridianRebel Linux - Networking 2 08-11-2005 02:10 PM
How to Tunnel through a ssh server muneebs Linux - Networking 2 02-12-2005 06:26 AM


All times are GMT -5. The time now is 12:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration