LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-27-2007, 09:58 AM   #1
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
How can I allow ssh tunneling but not a shell? Or equivelent...


Hey how can I allow people to forward ports with ssh from my server using ssh -L but not allow them to have an actual shell that they can login to and run commmands?

thanks very much,

nomb
 
Old 12-27-2007, 11:01 AM   #2
David1357
Senior Member
 
Registered: Aug 2007
Location: South Carolina, U.S.A.
Distribution: Ubuntu, Fedora Core, Red Hat, SUSE, Gentoo, DSL, coLinux, uClinux
Posts: 1,302
Blog Entries: 1

Rep: Reputation: 107Reputation: 107
Quote:
Originally Posted by nomb View Post
Hey how can I allow people to forward ports with ssh from my server using ssh -L but not allow them to have an actual shell that they can login to and run commmands?
Can't you just set their shell in "/etc/passwd" to "/bin/false"?
 
Old 12-28-2007, 09:42 AM   #3
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Original Poster
Rep: Reputation: 58
That didn't work. And using /bin/nologin doesn't work because ssh needs to login. Someone suggested changing the shell in /etc/passwd to a script that chrooted the user's home directory. I can write the bash script, but how would I edit the passwd file? Changing '/bin/bash' to 'sh /etc/chroot_script' didn't work and infact killed my ability to login since I'm only allowing RSA keys.

Thanks,
nomb
 
Old 01-02-2008, 10:18 AM   #4
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
sorry it took so long to reply.

this solution should work just fine.

name the file what ever you want but for this is will use sshtrap


/bin/sshtrap
Code:
#!/bin/bash

trap "" SIGINT SIGQUIT SIGTERM SIGHUP
trap "" SIGTRAP SIGSTOP SIGKILL SIGTSTP 


echo "This is a restricted shell"
echo "Please leave this window open while using port forwarding"

echo -e "type \"EXIT\" to exit\n"; read ANSWER

while [ "$ANSWER" != "EXIT" ]; do
   echo -e "type \"EXIT\" to exit\n"; read ANSWER
done

kill -9 `ps | awk '{ print $1 }'`
chmod +x /bin/sshtrap

then add

/bin/sshtrap to the end of the home users .bashrc file.

That will trap ctrl+c, ctrl+d, ctrl+z, etc. and they can still use ssh port forwarding.


let me know if it works
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Tunneling kpenrose Linux - Networking 4 10-16-2007 06:40 PM
SSH tunneling entz Linux - Networking 3 04-04-2007 08:22 AM
tunneling thru ssh c9876543210 Linux - Networking 1 07-21-2005 01:45 AM
X tunneling with SSH phekno Linux - Networking 3 05-31-2005 11:43 AM
tunneling with ssh barbanero Linux - Security 2 01-24-2002 11:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration