Results 1 to 17 of 17
  1. #1
    Join Date
    May 2009
    Posts
    83

    Disabling terminal command line for SSH users

    Hello everyone,

    I did try searching for help on this but have not been able to find any good information.

    I once used a Socks proxy service sometime back with a "privacy provider" to beat the censorship here in China. Yes, one can't even access youtube or facebook!!!

    Now I have my own vps and have set up Firefox to use the socks proxy on the VPS with SSH login and a tunnel with Putty.

    Now, I was hoping to help a few friends out with the same but don't want a bunch of people poking around with a SSH Terminal even with only "user" access.

    Back when I used that socks proxy provider, I remember very clearly how I logged into SSH with Putty and a SSH Terminal but never had access to a command line! The prompt/cursor simple blinked on the spot right after the space where I had entered the user password.

    There was no chance to even type "ls" to list dir contents!

    Can anyone tell me how to do this or point me at a resource that's understandable to a newbie?
    Thank you!

  2. #2
    Join Date
    Apr 2008
    Location
    US
    Posts
    82
    if you use jailshell it will confine them to only their directory

  3. #3
    Join Date
    Sep 2007
    Posts
    369

    *

    Quote Originally Posted by zanderion View Post
    Hello everyone,

    I did try searching for help on this but have not been able to find any good information.

    I once used a Socks proxy service sometime back with a "privacy provider" to beat the censorship here in China. Yes, one can't even access youtube or facebook!!!

    Now I have my own vps and have set up Firefox to use the socks proxy on the VPS with SSH login and a tunnel with Putty.

    Now, I was hoping to help a few friends out with the same but don't want a bunch of people poking around with a SSH Terminal even with only "user" access.

    Back when I used that socks proxy provider, I remember very clearly how I logged into SSH with Putty and a SSH Terminal but never had access to a command line! The prompt/cursor simple blinked on the spot right after the space where I had entered the user password.

    There was no chance to even type "ls" to list dir contents!

    Can anyone tell me how to do this or point me at a resource that's understandable to a newbie?
    Thank you!

    If i understand your problem, please give the answers below.

    1. do you have root level access to VPS?
    2. you want that specific user which you are talking about will not access any command line?

    if i am wrong please do correct me.
    Thanks,
    Noman
    noman@linuxonsupport.com
    O Canada, we stand on guard for thee

  4. #4
    Join Date
    Jun 2003
    Location
    UK
    Posts
    6,616
    Default behaviour is that the system will run the shell that is specified in /etc/passwd (normally /bin/bash)

    If you change this to a wrapper around the program you want you should be able to limit them

    rus
    Russ Foster - Industry Curmudgeon
    Freelance Sysadmin for Hire - email vaserv@gmail.com

  5. #5
    Join Date
    May 2009
    Posts
    83
    Quote Originally Posted by rghf View Post
    Default behaviour is that the system will run the shell that is specified in /etc/passwd (normally /bin/bash)

    If you change this to a wrapper around the program you want you should be able to limit them

    rus
    Hi, could you pray tell how this is done?
    IE. No command line after SSH user/pw entry.
    I'm fine with editing each user if necessary but what do i need to change it to exactly?

  6. #6
    Join Date
    May 2009
    Posts
    83
    Quote Originally Posted by nomankhn View Post
    If i understand your problem, please give the answers below.

    1. do you have root level access to VPS?
    2. you want that specific user which you are talking about will not access any command line?

    if i am wrong please do correct me.
    1. Yes, I have root on VPS.
    2. I want to do it for everyone of the users who I allow SSH access to. They only need it for socks proxy access... not for anything else. So disabling their command line is ideal.

  7. #7
    Join Date
    Sep 2007
    Posts
    369

    *

    Quote Originally Posted by zanderion View Post
    1. Yes, I have root on VPS.
    2. I want to do it for everyone of the users who I allow SSH access to. They only need it for socks proxy access... not for anything else. So disabling their command line is ideal.

    Right, Thanks for info.

    regarding disabling their shell do this in /etc/passwd file

    for example your userid is this in /etc/passwd file

    limit:x:9000:9000::/home/limit:/bin/bash

    open the file in /etc/passwd and do this change.

    limit:x:9000:9000::/home/limit:/sbin/nologin

    and if you want to add new user with disable shell do this.

    # useradd techno1 -s /sbin/nologin

    # cat /etc/passwd |grep "techno1"

    techno1:x:8983:8983::/home/techno1:/sbin/nologin

    But above will disable shell.

    If you want to limit user hard limit of process.

    open file vi /etc/security/limits.conf

    add this entry for particular user and make shell enable

    techno1 hard nproc 2
    Last edited by nomankhn; 09-10-2009 at 12:45 PM.
    Thanks,
    Noman
    noman@linuxonsupport.com
    O Canada, we stand on guard for thee

  8. #8
    Join Date
    May 2009
    Posts
    83
    Thanks nomankhn,

    The problem is I want them to be able to "stay" on the SSH terminal window BUT have NO command line and so cannot do anything! /sbin/nologin seems to throw the user out.

    I have no idea how that old proxy company did it... I wish someone knew exactly how!

    Basically it was like ...

    login as: johndoe
    johndoe@xx.xx.xx.xx's password:
    ||

    || - this is where the prompt just stopped. There was no command line whatsoever. But the user remained logged in and could access socks proxy etc.




    Quote Originally Posted by nomankhn View Post
    Right, Thanks for info.

    regarding disabling their shell do this in /etc/passwd file

    for example your userid is this in /etc/passwd file

    limit:x:9000:9000::/home/limit:/bin/bash

    open the file in /etc/passwd and do this change.

    limit:x:9000:9000::/home/limit:/sbin/nologin

  9. #9
    Join Date
    Sep 2007
    Posts
    369

    *

    Quote Originally Posted by zanderion View Post
    Thanks nomankhn,

    The problem is I want them to be able to "stay" on the SSH terminal window BUT have NO command line and so cannot do anything! /sbin/nologin seems to throw the user out.

    I have no idea how that old proxy company did it... I wish someone knew exactly how!

    Basically it was like ...

    login as: johndoe
    johndoe@xx.xx.xx.xx's password:
    ||

    || - this is where the prompt just stopped. There was no command line whatsoever. But the user remained logged in and could access socks proxy etc.
    Check earlier for limiting processes please as i said.
    Thanks,
    Noman
    noman@linuxonsupport.com
    O Canada, we stand on guard for thee

  10. #10
    Why don't you just set up a SOCKS proxy on the server to run as a daemon so you can connect to it directly without tunnelling with SSH?

    That way it eliminates shell access completely. Then, depending on the SOCKS daemon, you can configure it to accept connections from only the people you want to access it, or if it functions as an open SOCKS proxy, just use iptables to perform the connection management.
    Exoware.net
    Professional EU/UK Web Hosting Solutions
    Linux Web Hosting, Reseller Hosting, VPS Hosting and Dedicated Server Hosting
    Excellent, personal support round the clock.

  11. #11
    Join Date
    May 2009
    Location
    Vaduz/LI
    Posts
    2,778
    i everytime use "useradd -d /dev/null <USER>"

    they can login, and browse directorys, but dont do anything since they have only write access to /dev/null

  12. #12
    Join Date
    May 2009
    Posts
    83
    Quote Originally Posted by Zhang View Post
    i everytime use "useradd -d /dev/null <USER>"

    they can login, and browse directorys, but dont do anything since they have only write access to /dev/null
    I have already tried these but with /bin/false, I can't even stay logged into SSH with a test account.

    And with /dev/null, it doesn't accept the password.

    Thanks anyway!

  13. #13
    Join Date
    May 2009
    Posts
    83
    Quote Originally Posted by Exoware View Post
    Why don't you just set up a SOCKS proxy on the server to run as a daemon so you can connect to it directly without tunnelling with SSH?

    That way it eliminates shell access completely. Then, depending on the SOCKS daemon, you can configure it to accept connections from only the people you want to access it, or if it functions as an open SOCKS proxy, just use iptables to perform the connection management.
    Hi Exoware,

    Unfortunately, I'm a newbie with regards to this. I have no idea how to run Socks as daemon and make it accept connections (port 1080?) Thanks for the tip! Hope Google will be enough!

  14. #14
    Join Date
    Sep 2007
    Posts
    369

    *

    Quote Originally Posted by zanderion View Post
    Hi Exoware,

    Unfortunately, I'm a newbie with regards to this. I have no idea how to run Socks as daemon and make it accept connections (port 1080?) Thanks for the tip! Hope Google will be enough!

    Hello,

    check below link, this looks ok what you want and having authentication method as well............

    http://linux.cudeso.be/linuxdoc/dante.php
    Thanks,
    Noman
    noman@linuxonsupport.com
    O Canada, we stand on guard for thee

  15. #15
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Now I have my own vps and have set up Firefox to use the socks proxy on the VPS with SSH login and a tunnel with Putty.
    use antinat. This will remove the need for users to login via ssh, command line, anything of the like. This will, of course, make things more secure.

    Jailshell works too, but you shouldn't be allowing users to login via ssh for any reason at all. SSH is for administration, not for the every day user.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  16. #16
    Join Date
    May 2009
    Posts
    83
    Thanks for the help, nomankhn and linux-tech.
    I will be giving those a try.

  17. #17
    Join Date
    May 2009
    Posts
    83
    Got SS5 working!
    Although I need to figure out how to set up the SS5.conf file properly. It seems pretty hard to get some things set right. Still using the command line option to start SS5 for now as that's the easiest way for me to set the local listen port to a less obvious port.

    Are all Socks proxies basically the same in performance? Say antinat vs SS5 vs Dante etc.

Similar Threads

  1. Command Line
    By John Moran in forum VPS Hosting
    Replies: 5
    Last Post: 05-10-2008, 10:32 PM
  2. Unable to set background for terminal service users
    By kimenge in forum Hosting Security and Technology
    Replies: 9
    Last Post: 05-26-2007, 05:00 PM
  3. terminal services - need to kick users off
    By Odd Fact in forum Hosting Security and Technology
    Replies: 0
    Last Post: 05-18-2005, 05:37 PM
  4. Command line help
    By Johngil in forum VPS Hosting
    Replies: 9
    Last Post: 04-08-2005, 07:03 AM
  5. PHP via command line
    By NxTek in forum Programming Discussion
    Replies: 2
    Last Post: 08-09-2003, 02:47 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •