[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH forwarding with an "untrusted" user

On Wed, 2002-08-14 at 11:34, Mike Dresser wrote:
> I've got a series of remote locations that I need to be able to connect to
> from head office.
> I need to be able to give a user the ability to ssh in, using port
> forwarding(such as through putty), to a machine inside the firewall at
> the remote location.
> So I load up putty, setup the forward, and it works and all.
> Here's the catch..  There's a shell running in the background.  How do I
> do this, without leaving a shell running around where the "untrusted" user
> can access it?
> There's an option in ssh to not allocate a pseudo-terminal, but I don't
> trust the user not to change that.  I need something server-side for that
> user login.

Edit your /etc/passwd file and instead of /bin/bash point it to a script
which you will create, say /usr/local/bin/dummyshell

then, create the file /usr/local/bin/dummyshell which will contain

echo "Press enter to close"
read enterpressed

run chmod +x /usr/local/bin/dummyshell
now when your user logs in, he will just get that prompt.

Another possibility is to use normal port forwarding via ipchains or
iptables so that this intermediate step is not needed at all. You should
be able to find plenty of documentation on how to do it. If not, see
this list.


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: