[wellylug] ssh problem
Mark Signal
mark at remote-assist.co.nz
Fri Feb 4 10:26:33 NZDT 2005
Thanks for that.
I would appreciate any pointers on how I could improve on the following:
After much faffing around I have given all users rbash as a shell.
I have added "command="conkill.sh",no-pty" to their authorized keys file
conkill.sh contains:
#/bin/rbash
USER=`whoami`
kill `ps x | grep $USER | grep -v grep | cut -c,1-5`
the theory is that they have a shell (rbash) but cant use it because of
the "no-pty" in the authorized keys file
If they connect with -N in the ssh string the conkill.sh isnt run and
they can do their port forwarding.
If they connect without the -N then conkill.sh runs and disconnects them
and all other users on the account (including duff ones)
I added a "nuke all" button to their connection program which connects
without the -N and wham - all stray connections gone.
It all seems to work
thanks to all for their help
cheers
Mark
Ewen McNeill wrote:
>In message <42015260.5010700 at remote-assist.co.nz>, Mark Signal writes:
>
>
>>>[ssh in for port forwarding only]
>>>
>>>
>>Is there a shell that I can allocate users that allows them to do
>>nothing other than logon?
>>
>>
>
>What I've done at a couple of sites for this is write a (tiny) C program
>that basically prints out a message (to the effect that it's not an
>interactive shell) and then waits for input -- as soon as it gets input,
>it exits. (It is basically a "hello world" C program with one extra
>read() that makes it wait for some input.) This can then be safely used
>as a replacement "shell" which doesn't allow the user to do anything.
>
>The advantage of this over something like /bin/true as a shell is
>that it runs for the duration of the session. /bin/true will exit
>(immediately :-) ) which will generally mean that the ssh connection
>closes, unless you use magic arguments to keep the ssh connection open
>for the port forwarding only (and those options appear to be the ones
>that are disabling the features you want enabled).
>
>Ewen
>
>
>
>
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.5 - Release Date: 3/02/2005
More information about the wellylug
mailing list