3

So I have been working on this for some time. Would like to know if there is a better way or if I am on the right track.

I would basically like to allow some users to login to my server via SSH and then have a squid tunnel via that SSH connection.

The tricky part however is that I dont want these users to be able to execute ANY commands. I mean NOTHING at all.

So at this stage I have setup a Jail via - jailkit. The specific user is then placed in the jail and given the bash shell as a shell.

The next step would be to remove all the commands in the /jail/bin/ directories etc so that they are not able to execute any commands.

Am I on the right path here? What would you suggest?

Also...I see that it will give them many command not found errors...how do I remove these.

Is there any other shell I could look at giving them that would not let them do anything?

David
  • 33
  • 5

1 Answers1

2

You could set their shell to something like /bin/true, or maybe a simple script that will output an informational message, and then have them logon using ssh -N (see the ssh manual page). I believe that allows them to use portforwarding without having an actuall shell on the system.

EDIT:

The equivalent of ssh -N in PuTTY is checking the "Don't start a shell or command at all" checkbox in its SSH configuration tab (Connection->SSH).

EDIT2:

As an alternative to this you could use a script that enters an infinite sleep loop. Until it is interrupted using Ctrl-C the connection will remain alive. I just tried this:

#!/bin/sh

echo "DNSH: Do-Nothing Shell"

while sleep 3600; do :; done

If you use this as a shell (preferrably with a more helpful message) your users will be able to use port-forwarding without an actual shell and without having to know about ssh -N and friends.

thkala
  • 84,049
  • 23
  • 157
  • 201
  • They could still use `ssh -t $host /bin/sh` to get a shell regardless. – ephemient Nov 25 '10 at 08:36
  • How would I go about use a script that enters an infinite sleep loop ?? – David Nov 25 '10 at 08:44
  • @ephemient: ssh -t does not seem to work this way on my system. – thkala Nov 25 '10 at 08:45
  • @ephemient: any command I supply to ssh seems to go through the defined shell using the -c shell option – thkala Nov 25 '10 at 08:53
  • the infinite loop script seems like the thing im looking for...so just create that as a new custom shell?? – David Nov 25 '10 at 09:05
  • Thanks for the help...exactly what I need! Just need to know how to enable this script as the shell? When I create the custom script and set it as the users shell I am not able to login – David Nov 25 '10 at 09:12
  • @David: That's what I did. You might want to verify that everything goes through it first, by having it print its arguments and trying ssh user@host /bin/bash or something. Keep in mind that this also may also disable sftp and scp, so you might want to modify the script to allow those operations, – thkala Nov 25 '10 at 09:14
  • @David: you might need to enter it in the allowed shell list. Mine is in /etc/shells, for example – thkala Nov 25 '10 at 09:16
  • just had to chmod +x the script – David Nov 25 '10 at 09:18