If you run FC then these requirements you already have: PAM-aware distro and PAM module listfile. Now "yum noexec" and you're done.
1. Edit /etc/shells and add a new line "/bin/shell_wrapper",
2. Edit /etc/passwd and change the users shell to read "/bin/shell_wrapper",
3. Edit /etc/pam.d/login and add a line
Code:
auth required pam_listfile.so item=user sense=deny file=/etc/pam.d/login.deny onerr=succeed
below the other lines in the "auth" section and echo into it the username,
4. Touch file "/bin/shell_wrapper", set owner and group to root and access rights octal mode to 0755, then fill with:
Code:
#!/bin/ash
/usr/bin/noexec -L /usr/lib -l libnoexec.so telnet 127.0.0.1 23
exit 0
and see if it runs.
5. Testing.
- test the users local login. This should come up as denied.
- test the users SSH login. This should work and you should be presented with the telnet lines.
- test if you can get a subshell in this process: type Z. The connection should be broken.
- test if you can get a subshell by issueing "CTRL+v CTRL+]" in telnet. Type "!". The connection should be broken after a few enters.
6. TODO (you, not me)
- Harden the box properly (GRSecurity, SELinux)
- Implement one method from
http://www.linuxquestions.org/questi...d.php?t=340366
- Chroot the user or see if ChrootSSH works.
- Wrap in RootSH or similar to get an audit trail of whatever is typed.
HTH, but YMMV(VM).
