Is this possible....no home directory

piforever · 04-08-2006, 10:00 AM

Is it possible to create a user just for tunneling?? so the system authenticate him but he does not have a home directory so he can not login and browse the system......i am using this account from different terminals and in case someone was tracking what i actually type(id/pass) it will not be that series.....

thnx,

acid_kewpie · 04-08-2006, 12:08 PM

yes, that's totally possible, just set their shell to something like /sbin/nologin their home to /dev/null and whilst they can authenticate they can not actually log in.

piforever · 04-08-2006, 12:45 PM

brilliant....thank you very much.

I got this when I tried to login

Code:

Could not chdir to home directory /dev/null: Not a directory
This account is currently not available.

can i change the message??!! or eliminate it all??!! let us say this user is from a certain group and i want to issue a specific message for this group...

*EDIT*

The user is not connected....so I can not actually use this method for tunneling!!! Any suggestions??

Code:

/usr/sbin/useradd -s/sbin/nologin -d/dev/null someuser

raskin · 04-09-2006, 12:48 PM

Try - though possibly it's less secure (I don't see why would it, but...) - setting 'shell' to some Unix-shell script echoing various curses and exiting.

piforever · 04-09-2006, 01:38 PM

Can you give me an example??

btmiller · 04-09-2006, 05:03 PM

What kind of tunneling do you want the user to be able to do? If you just want him to tunnel HTTP traffic, you might be better served just setting up Squid or another proxy server.

I'm not sure if there's an easier way to do it than to write a little "shell" that basically just holds the connection open for the proxy traffic. At this point you might be even better served by implementing a simple SSL-based VPN so you don't have to mess with it. There are packages like FreeSwan that can help but I haven't ever used them.

live_dont_exist · 04-10-2006, 01:44 AM

Does this help..or did I miss something??

***********
[arvind@arvind Scripts]$ su -
Password:
[root@arvind ~]# useradd -s /sbin/nologin -u 61111 -g 10 -c "VPN User" vpn
[root@arvind ~]# passwd vpn
Changing password for user vpn.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@arvind ~]# grep vpn /etc/passwd
vpn:x:61111:10:VPN User:/home/vpn:/sbin/nologin
[root@arvind ~]# su - vpn
This account is currently not available.
[root@arvind ~]#
***********

piforever · 04-10-2006, 06:47 PM

Quote:

Originally Posted by live_dont_exist

Does this help..or did I miss something??

Thanx....but this is not what we are talking about....

piforever · 04-10-2006, 06:51 PM

Quote:

Originally Posted by btmiller

What kind of tunneling do you want the user to be able to do? If you just want him to tunnel HTTP traffic, you might be better served just setting up Squid or another proxy server.

I'm not sure if there's an easier way to do it than to write a little "shell" that basically just holds the connection open for the proxy traffic. At this point you might be even better served by implementing a simple SSL-based VPN so you don't have to mess with it. There are packages like FreeSwan that can help but I haven't ever used them.

Thanx.....nice info, i'm looking at this at the moment....i'll post back if i successfully implemented those ideas....

pk21 · 04-12-2006, 10:12 PM

Check the prog below, I read about it at packetstormsecurity but haven't tested it myself:

Sleep Dummy Shell

This is a simple do-nothing, sleep-forever program that can be used as a login shell (in Linux or Unix) to keep the connection open but without interactive shell. We use it to create SSH accounts for users who will only use them for SSH-tunneling; to create an encrypted tunnel to our servers (for example to connect securely to database servers like mySQL, PostgreSQL, etc).

http://www.mariovaldez.net/software/sleepshell/

piforever · 04-13-2006, 12:55 PM

WOW!! You are my savior.....just what I was looking for....

Regards,

The site is a bit scary!!

pk21 · 04-13-2006, 07:58 PM

pk21 to the rescue

Source code looks very simple, but is seems to work fine. Even has some sort of keepalive(an asterisk every 10-seconds)

piforever · 04-14-2006, 05:19 AM

Thanx for that...I was thinking...whether the code is efficient and no vulnerabilities are associated with it?? I will go for it then...many thnx