LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 11-01-2006, 02:40 AM   #1
sardaukar_siet
Member
 
Registered: Feb 2003
Location: London
Distribution: Fedora 22
Posts: 59

Rep: Reputation: 15
SSH wrapper for telnet login


I run an old-school bbs at telnet://sardaukar.ath.cx.

How can I create an account only allowed to access through ssh, that runs "telnet localhost" at login?

Thanks!
 
Old 11-02-2006, 09:32 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If you run FC then these requirements you already have: PAM-aware distro and PAM module listfile. Now "yum noexec" and you're done.
1. Edit /etc/shells and add a new line "/bin/shell_wrapper",
2. Edit /etc/passwd and change the users shell to read "/bin/shell_wrapper",
3. Edit /etc/pam.d/login and add a line
Code:
auth       required     pam_listfile.so item=user sense=deny file=/etc/pam.d/login.deny onerr=succeed
below the other lines in the "auth" section and echo into it the username,
4. Touch file "/bin/shell_wrapper", set owner and group to root and access rights octal mode to 0755, then fill with:
Code:
#!/bin/ash
/usr/bin/noexec -L /usr/lib -l libnoexec.so telnet 127.0.0.1 23
exit 0
and see if it runs.

5. Testing.
- test the users local login. This should come up as denied.
- test the users SSH login. This should work and you should be presented with the telnet lines.
- test if you can get a subshell in this process: type Z. The connection should be broken.
- test if you can get a subshell by issueing "CTRL+v CTRL+]" in telnet. Type "!". The connection should be broken after a few enters.

6. TODO (you, not me)
- Harden the box properly (GRSecurity, SELinux)
- Implement one method from http://www.linuxquestions.org/questi...d.php?t=340366
- Chroot the user or see if ChrootSSH works.
- Wrap in RootSH or similar to get an audit trail of whatever is typed.

HTH, but YMMV(VM).

Last edited by unSpawn; 11-02-2006 at 09:36 AM.
 
Old 11-02-2006, 11:39 AM   #3
sardaukar_siet
Member
 
Registered: Feb 2003
Location: London
Distribution: Fedora 22
Posts: 59

Original Poster
Rep: Reputation: 15
WOW! Worked like a charm! Thank you.
 
Old 11-02-2006, 12:31 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Cool. Please take notice of the TODO list items though.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
auto-login script for connecting to remote m/n by using telnet/ftp/ssh Uday123 Programming 5 10-12-2011 12:31 PM
Automatting Telnet or SSH Login prashant_1012 Programming 6 09-12-2005 03:26 PM
SSH/Telnet, disable root login, how? muhazam Linux - Security 6 08-17-2004 01:49 PM
Telnet and ssh login message digitalgravy Linux - Newbie 7 01-07-2004 11:35 PM
Strange! SSH and Telnet login problem McSmooth Linux - General 7 10-03-2003 10:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration