Using a perl script as a User's Shell
 

Hi,
I'm interested in setting up a simple game that i created in perl so that it can be accessed over SSH. At the moment I have the script set as a special user's shell, but I'm a little worried about security issues with this setup. There is very minimal user input taken by the script so I'm not worried too much about the script itself, but would there be a way for someone logging in to break out of the script and get to a command shell prompt?

Thanks
JB

Try having that script as the "ForceCommand" command in /etc/sshd_config, and changing the users entry in /etc/passwd so that their shell is /bin/false. I haven't tested this. I don't know if the later part will cause the game script not to run. In the very least change the shell to /bin/rbash which is a restricted shell.

Thanks for the idea. Just now have gotten around to trying some things. The ForceCommand won't work with the shell set to /bin/false as ForceCommand needs a real shell to run the command. ForceCommand seemed to do what I needed when user's shell was set to /bin/bash. Simply setting user's shell to my perl script seems to produce the same result. In testing the latter I am trying to see what the effect of appending a command to the ssh client connect command. I'm not sure what is happening when I do that, but the script does not immediately run.

Perhaps the most secure way to do this is using a restricted shell of some sort with the ForceCommand option to avoid the security issues that might exist with appending a command to the ssh client login

After comparing the effects of

1) placing my perl script as my users' shell in /etc/passwd, with

2) placing my perl script as my users' shell in /etc/passwd and setting ForceCommand to run the script, with

3) setting /bin/bash as my user's shell and using ForceCommand to run my script

I found that under all three I was unable to run a command outside of the script. I tried specifying things like "ssh -l user 192.168.1.2 ls /etc" and "ssh -l user 192.168.1.2 /bin/bash".

Under all three options trying to specify a command on connect resulted in the script not immediately running. The cursor flashes on the empty line, if I press return or enter text and press return the script runs taking the text I entered as <STDIN> to the script. Which seems strange. Here is what I mean, with the output of my test perl script that prints two lines, takes input, sleeps 2 seconds and spits it out:

---------------------\
me@computer:~$ ssh -l user 192.168.1.2 /bin/bash
user@192.168.1.2's password:
echo "I'm typing this line while the script seems not to be running"
here we go!

enter something:

YOU SAID: echo "I'm typing this line while the script seems not to be running"
---------------------------/

the only other thing of note, is that when not using ForceCommand in trial (1) the banner information and last login was displayed. Can anyone figure out why the above is behaving the way it is?

Unless you're and a seasoned and confident scripter, and have made sure you covered all potential holes, and even if you restrict access to the shell to known and trusted users, I'd make sure STDIN isn't allowed until it's "safe" to do so, make sure logging is on (network plus Rootsh/Sudosh or GRSecurity or SELinux) and make sure the script is run chrooted.