Results 1 to 17 of 17
-
09-10-2009, 02:58 AM #1Junior Guru Wannabe
- Join Date
- May 2009
- Posts
- 83
Disabling terminal command line for SSH users
Hello everyone,
I did try searching for help on this but have not been able to find any good information.
I once used a Socks proxy service sometime back with a "privacy provider" to beat the censorship here in China. Yes, one can't even access youtube or facebook!!!
Now I have my own vps and have set up Firefox to use the socks proxy on the VPS with SSH login and a tunnel with Putty.
Now, I was hoping to help a few friends out with the same but don't want a bunch of people poking around with a SSH Terminal even with only "user" access.
Back when I used that socks proxy provider, I remember very clearly how I logged into SSH with Putty and a SSH Terminal but never had access to a command line! The prompt/cursor simple blinked on the spot right after the space where I had entered the user password.
There was no chance to even type "ls" to list dir contents!
Can anyone tell me how to do this or point me at a resource that's understandable to a newbie?
Thank you!
-
09-10-2009, 03:43 AM #2Junior Guru Wannabe
- Join Date
- Apr 2008
- Location
- US
- Posts
- 82
if you use jailshell it will confine them to only their directory
-
09-10-2009, 04:56 AM #3Aspiring Evangelist
- Join Date
- Sep 2007
- Posts
- 369
-
09-10-2009, 04:58 AM #4Web Hosting Master
- Join Date
- Jun 2003
- Location
- UK
- Posts
- 6,616
Default behaviour is that the system will run the shell that is specified in /etc/passwd (normally /bin/bash)
If you change this to a wrapper around the program you want you should be able to limit them
rusRuss Foster - Industry Curmudgeon
Freelance Sysadmin for Hire - email vaserv@gmail.com
-
09-10-2009, 05:24 AM #5Junior Guru Wannabe
- Join Date
- May 2009
- Posts
- 83
-
09-10-2009, 11:18 AM #6Junior Guru Wannabe
- Join Date
- May 2009
- Posts
- 83
-
09-10-2009, 12:37 PM #7Aspiring Evangelist
- Join Date
- Sep 2007
- Posts
- 369
Right, Thanks for info.
regarding disabling their shell do this in /etc/passwd file
for example your userid is this in /etc/passwd file
limit:x:9000:9000::/home/limit:/bin/bash
open the file in /etc/passwd and do this change.
limit:x:9000:9000::/home/limit:/sbin/nologin
and if you want to add new user with disable shell do this.
# useradd techno1 -s /sbin/nologin
# cat /etc/passwd |grep "techno1"
techno1:x:8983:8983::/home/techno1:/sbin/nologin
But above will disable shell.
If you want to limit user hard limit of process.
open file vi /etc/security/limits.conf
add this entry for particular user and make shell enable
techno1 hard nproc 2Last edited by nomankhn; 09-10-2009 at 12:45 PM.
-
09-10-2009, 02:29 PM #8Junior Guru Wannabe
- Join Date
- May 2009
- Posts
- 83
Thanks nomankhn,
The problem is I want them to be able to "stay" on the SSH terminal window BUT have NO command line and so cannot do anything! /sbin/nologin seems to throw the user out.
I have no idea how that old proxy company did it... I wish someone knew exactly how!
Basically it was like ...
login as: johndoe
johndoe@xx.xx.xx.xx's password:
||
|| - this is where the prompt just stopped. There was no command line whatsoever. But the user remained logged in and could access socks proxy etc.
-
09-10-2009, 02:32 PM #9Aspiring Evangelist
- Join Date
- Sep 2007
- Posts
- 369
-
09-11-2009, 08:19 AM #10Web Hosting Guru
- Join Date
- Aug 2008
- Posts
- 338
Why don't you just set up a SOCKS proxy on the server to run as a daemon so you can connect to it directly without tunnelling with SSH?
That way it eliminates shell access completely. Then, depending on the SOCKS daemon, you can configure it to accept connections from only the people you want to access it, or if it functions as an open SOCKS proxy, just use iptables to perform the connection management.█Exoware.net
█Professional EU/UK Web Hosting Solutions
█Linux Web Hosting, Reseller Hosting, VPS Hosting and Dedicated Server Hosting
█Excellent, personal support round the clock.
-
09-12-2009, 04:25 AM #11Now renamed!
- Join Date
- May 2009
- Location
- Vaduz/LI
- Posts
- 2,778
i everytime use "useradd -d /dev/null <USER>"
they can login, and browse directorys, but dont do anything since they have only write access to /dev/null
-
09-12-2009, 03:56 PM #12Junior Guru Wannabe
- Join Date
- May 2009
- Posts
- 83
-
09-12-2009, 03:58 PM #13Junior Guru Wannabe
- Join Date
- May 2009
- Posts
- 83
-
09-12-2009, 04:43 PM #14Aspiring Evangelist
- Join Date
- Sep 2007
- Posts
- 369
Hello,
check below link, this looks ok what you want and having authentication method as well............
http://linux.cudeso.be/linuxdoc/dante.php
-
09-12-2009, 05:41 PM #15Now I have my own vps and have set up Firefox to use the socks proxy on the VPS with SSH login and a tunnel with Putty.
Jailshell works too, but you shouldn't be allowing users to login via ssh for any reason at all. SSH is for administration, not for the every day user.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
09-14-2009, 12:46 AM #16Junior Guru Wannabe
- Join Date
- May 2009
- Posts
- 83
Thanks for the help, nomankhn and linux-tech.
I will be giving those a try.
-
09-14-2009, 01:03 PM #17Junior Guru Wannabe
- Join Date
- May 2009
- Posts
- 83
Got SS5 working!
Although I need to figure out how to set up the SS5.conf file properly. It seems pretty hard to get some things set right. Still using the command line option to start SS5 for now as that's the easiest way for me to set the local listen port to a less obvious port.
Are all Socks proxies basically the same in performance? Say antinat vs SS5 vs Dante etc.
Similar Threads
-
Command Line
By John Moran in forum VPS HostingReplies: 5Last Post: 05-10-2008, 10:32 PM -
Unable to set background for terminal service users
By kimenge in forum Hosting Security and TechnologyReplies: 9Last Post: 05-26-2007, 05:00 PM -
terminal services - need to kick users off
By Odd Fact in forum Hosting Security and TechnologyReplies: 0Last Post: 05-18-2005, 05:37 PM -
Command line help
By Johngil in forum VPS HostingReplies: 9Last Post: 04-08-2005, 07:03 AM -
PHP via command line
By NxTek in forum Programming DiscussionReplies: 2Last Post: 08-09-2003, 02:47 PM