cat as a login shell

b8rt · 12-11-2006, 01:17 PM

Are there any security issues of setting a user's login shell to:

/usr/bin/cat

I have done this effectively to disable users from getting a shell with ssh, but still be able to do ssh port forwarding...

What can go wrong?

-b8rt

chort · 12-11-2006, 01:37 PM

What about /usr/bin/true ? I would think that's safer than cat because it shouldn't allow writing to arbitrary files.

b8rt · 12-11-2006, 01:43 PM

When I set it to /usr/bin/true the ssh connection I attempt exits right away, as is the nature of `true`. When it is `cat`, the ssh connection stays open, all port forwarding works, and all the user seems to be capable of is typing in their terminal... I don't see how they can write to files...

-b8rt

chort · 12-11-2006, 01:55 PM

Actually, you're right cat wouldn't allow writing to files any more than true would, without output redirection. It could allow reading files though (if you're trying to prohibit logins, that could be a problem. So what you're really looking for is an infinite loop or infinite blocking.

What about compiling a simple C program to simply sleep() inside an infinite loop?

b8rt · 01-20-2012, 12:00 PM

Code:

$ cat idle.cpp 
#include <iostream>

int main(){
  std::cout << "Doing nothing...forever!\n" << std::flush;
  while(1){sleep(1);}
  return 0;
}

$ g++ idle.cpp -o idle
$ ./idle 
Doing nothing...forever!

ntubski · 01-20-2012, 03:26 PM

Quote:

Originally Posted by b8rt

When I set it to /usr/bin/true the ssh connection I attempt exits right away, as is the nature of `true`.

I don't have an ssh server handy to test this on, but does it still exit right away if you use the -N option on the client side?

Code:

     -N      Do not execute a remote command.  This is useful for just
             forwarding ports (protocol version 2 only).

http://www.openbsd.org/cgi-bin/man.c...=ssh&sektion=1

b8rt · 01-20-2012, 03:44 PM

ntubski, indeed -N for ssh just connects and executes nothing. On the other hand, changing the default shell to an idle process seems to make it mandatory for the user and not optional.

-
bart

rodrifra · 01-21-2012, 09:42 AM

/usr/sbin/nologin was created for your purpose.