Comments on: Creating a Restricted SSH User for SSH Tunneling Only http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/ Andreas Breitschopp Fri, 04 Jan 2013 06:48:43 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Chris Davies http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/#comment-192 Chris Davies Fri, 27 Apr 2012 11:44:28 +0000 http://www.ab-weblog.com/en/?p=453#comment-192 I've just created a user account on my local system with /bin/rbash as the shell. The profile contains two lines <code> test -d "$HOME/bin" && PATH="$HOME/bin" echo "Restricted shell... you're welcome" </code> On my second try I was able to hit Ctrl/C at the right moment to stop the PATH being reset. This is definitely a security hole, and arguably a bug. If you trust your users not to exploit it, then you might as well not bother with rbash in the first place. I’ve just created a user account on my local system with /bin/rbash as the shell. The profile contains two lines

test -d "$HOME/bin" && PATH="$HOME/bin"
echo "Restricted shell... you're welcome"

On my second try I was able to hit Ctrl/C at the right moment to stop the PATH being reset.

This is definitely a security hole, and arguably a bug. If you trust your users not to exploit it, then you might as well not bother with rbash in the first place.

]]> By: Andreas Breitschopp http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/#comment-191 Andreas Breitschopp Fri, 27 Apr 2012 07:40:06 +0000 http://www.ab-weblog.com/en/?p=453#comment-191 Hello Chris, first thanks for your comment. Maybe you're right that there is a theoretical chance for a user to cancel the execution of the .profile script before setting path="", but you will agree that there is no way that a "real" user is able to hit Ctrl+C fast enough that this simple line is not executed. And this tip here is intended to be for "real" users that has the right to login for SSH tunneling, but should not be able to do any other things on the server. For this purpose this solution should be definitely enough. Best regards Andreas Hello Chris,

first thanks for your comment.

Maybe you’re right that there is a theoretical chance for a user to cancel the execution of the .profile script before setting path=”", but you will agree that there is no way that a “real” user is able to hit Ctrl+C fast enough that this simple line is not executed. And this tip here is intended to be for “real” users that has the right to login for SSH tunneling, but should not be able to do any other things on the server. For this purpose this solution should be definitely enough.

Best regards
Andreas

]]> By: Chris Davies http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/#comment-190 Chris Davies Fri, 27 Apr 2012 00:02:55 +0000 http://www.ab-weblog.com/en/?p=453#comment-190 Last time I tried to use rbash as a login shell, I could not find any way of preventing the user from hitting Ctrl/C and interrupting the execution of .bash_profile or .profile. (This is at odds with the original sh/rsh implementation, which notes that Ctrl/C is disabled while the .profile is executed.) So you cannot guarantee that any configuration in either of these files intended to restrict the user further will actually be executed. Pathologically, even a <code>trap "" 3</code> at the top of the file could be interrupted. The only solution I found for this was to use a restricted bourne shell (rsh) and have <code>trap "" 3; exec bash</code> within the .profile and to remember to put all the subsequent bash code inside .bashrc Last time I tried to use rbash as a login shell, I could not find any way of preventing the user from hitting Ctrl/C and interrupting the execution of .bash_profile or .profile. (This is at odds with the original sh/rsh implementation, which notes that Ctrl/C is disabled while the .profile is executed.) So you cannot guarantee that any configuration in either of these files intended to restrict the user further will actually be executed.

Pathologically, even a trap "" 3 at the top of the file could be interrupted.

The only solution I found for this was to use a restricted bourne shell (rsh) and have trap "" 3; exec bash within the .profile and to remember to put all the subsequent bash code inside .bashrc

]]> By: Andreas Breitschopp http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/#comment-164 Andreas Breitschopp Wed, 14 Mar 2012 10:33:22 +0000 http://www.ab-weblog.com/en/?p=453#comment-164 Hello, if you don't want other users to use your service from a proxy (e. g. by SSH tunneling), I see no chance for that, because your service does not know if the client is a "normal" request or a request being tunneled through a SSH proxy. Best regards Andreas Hello,

if you don’t want other users to use your service from a proxy (e. g. by SSH tunneling), I see no chance for that, because your service does not know if the client is a “normal” request or a request being tunneled through a SSH proxy.

Best regards
Andreas

]]> By: KY http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/#comment-163 KY Wed, 14 Mar 2012 10:32:38 +0000 http://www.ab-weblog.com/en/?p=453#comment-163 I sorry I may still have been unclear Ian look to keep people out I sorry I may still have been unclear Ian look to keep people out

]]> By: KY http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/#comment-162 KY Wed, 14 Mar 2012 10:30:29 +0000 http://www.ab-weblog.com/en/?p=453#comment-162 Ian sorry for..being misunderstood, I wanted to block other users from the server. thanks for..the fast response KY Ian sorry for..being misunderstood, I wanted to block other users from the server. thanks for..the fast response
KY

]]> By: Andreas Breitschopp http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/#comment-161 Andreas Breitschopp Wed, 14 Mar 2012 10:23:17 +0000 http://www.ab-weblog.com/en/?p=453#comment-161 Hello, you need to be a little bit more precise in your question: do you want to block a SSH user from using this SSH server as tunneling server or do you want to block other people to use your service from a tunneling server as proxy? Best regards Andreas Hello,

you need to be a little bit more precise in your question:
do you want to block a SSH user from using this SSH server as tunneling server or do you want to block other people to use your service from a tunneling server as proxy?

Best regards
Andreas

]]> By: KY http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/#comment-160 KY Wed, 14 Mar 2012 10:14:36 +0000 http://www.ab-weblog.com/en/?p=453#comment-160 hello my..freind, I wanted to know is there a way to block tunnel access altogether . ? thx for your time . 8071242@gmail.com KY hello my..freind, I wanted to know is there a way to block tunnel access altogether . ?

thx for your time .
8071242@gmail.com
KY

]]>