[wellylug] ssh problem

Mark Signal mark at remote-assist.co.nz
Fri Feb 4 10:26:33 NZDT 2005


Thanks for that.

I would appreciate any pointers on how I could improve on the following:

After much faffing around I have given all users rbash as a shell.
I have added  "command="conkill.sh",no-pty" to their authorized keys file

conkill.sh contains:
#/bin/rbash
USER=`whoami`
kill `ps x | grep $USER | grep -v grep | cut -c,1-5`

the theory is that they have a shell (rbash) but cant use it because of 
the "no-pty" in the authorized keys file
If they connect with -N in the ssh string the conkill.sh  isnt run and 
they can do their port forwarding.
If they connect without the -N then conkill.sh runs and disconnects them 
and all other users on the account (including duff ones)

I added a "nuke all" button to their connection program which connects 
without the -N and wham - all stray connections gone.

It all seems to work

thanks to all for their help

cheers

Mark

Ewen McNeill wrote:

>In message <42015260.5010700 at remote-assist.co.nz>, Mark Signal writes:
>  
>
>>>[ssh in for port forwarding only]
>>>      
>>>
>>Is there a shell that I can allocate users that allows them to do 
>>nothing other than logon?
>>    
>>
>
>What I've done at a couple of sites for this is write a (tiny) C program
>that basically prints out a message (to the effect that it's not an
>interactive shell) and then waits for input -- as soon as it gets input,
>it exits.  (It is basically a "hello world" C program with one extra
>read() that makes it wait for some input.)  This can then be safely used
>as a replacement "shell" which doesn't allow the user to do anything.
>
>The advantage of this over something like /bin/true as a shell is
>that it runs for the duration of the session.  /bin/true will exit
>(immediately :-) ) which will generally mean that the ssh connection
>closes, unless you use magic arguments to keep the ssh connection open
>for the port forwarding only (and those options appear to be the ones
>that are disabling the features you want enabled).
>
>Ewen
>
>
>  
>


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.5 - Release Date: 3/02/2005




More information about the wellylug mailing list