Results 1 to 11 of 11
  1. #1
    Join Date
    Mar 2008
    Posts
    606

    Question security issues with ssh ?

    scenario:

    a few people share a computer and they only ssh in to their own web servers.

    meaning they open up a terminal on the shared computer

    and they type

    Code:
    ssh theirsite.com -l theirID
    now they are able to access their web terminal. while connected to their server through the ssh terminal, is it possible for them to try downloading or uploading or can do something through the ssh terminal that could damage the computer ?

  2. #2
    Join Date
    Jun 2008
    Posts
    204
    They are on the (local) computer, so they can damage it. They can probably hit it with a hammer too since it's right there in front of them. What are you asking?

    Can they use SCP or FTP from a terminal in SSH? Yes. What wouldn't they be able to do? If X windows is available they could start a complete KDE session over SSH and have a whole new desktop (remote) and it's the same as if they were on a local CRT screen over at the colo where the server is located.

  3. #3
    Join Date
    Mar 2008
    Posts
    606
    for the scenario they can only access the terminal. they cannot click outside. basically, its like starting your linux computer in recovery mode with networking. you just have the terminal. the only command you can run is ssh yoursite.com -l login.

  4. #4
    Join Date
    Nov 2000
    Posts
    374
    In that case, I don't think so. (Other than hitting it with a hammer, of course, as mentioned above )

  5. #5
    Join Date
    Jun 2008
    Posts
    204
    I'm still guessing what "computer" you are talking about, I ASSUME you mean the local one being somehow damaged.

    There are commands in SSH where you can open a local port and forward it, oh what fun you might have with that. I could telnet (or whatever) into the local machine's port (sort of backwards) and bypass any firewall since it thinks I am local.

    Depending on how SSH is set up you could use the "~C" terminal command to execute a local command.

    You should read the man page for SSH, it's pretty powerful. I'm not sure why you are asking all this. If it's a windows machine, have fun trying to lock people out from doing nasty stuff like dropping to DOS, inserting a USB drive or something.

    I would be very careful assuming you are safe letting unknown people access your local machine, if that's what you were talking about.

  6. #6
    Join Date
    Mar 2008
    Posts
    606
    how can i lock someone from executing local commands and such ?

  7. #7
    Join Date
    Dec 2006
    Location
    London
    Posts
    660
    Quote Originally Posted by jjk2 View Post
    how can i lock someone from executing local commands and such ?
    What do you want the allow the user to do exactly?

    You could change the user's shell to something like rsh or scponly to restrict them to a subset of commands, e.g. scp and rsync.
    GigaTux, Value Linux Hosting
    UK, US and Germany based Xen VPS. Reliability is key! Quick support response and 99.9% SLA.

  8. #8
    Join Date
    Mar 2008
    Posts
    606
    i want the user to use the SSH to their server but not run anything that could damage the security of the local computer.

  9. #9
    Join Date
    Apr 2007
    Location
    US, UK, Europe, ME
    Posts
    258
    You can assign them to a group, then you can restrict commands usage by adding an instruction in the sudoers file. e.i: You can allow them to use ssh command only and so on.

    Look into the /etc/sudoers file and there are some examples you can use, also it's great to review and tweak your /etc/security config files to fit your needs.

    Regards,
    Last edited by AttackerNET; 10-16-2009 at 06:44 PM.

  10. #10
    Join Date
    Dec 2006
    Location
    London
    Posts
    660
    Allowing people shell access but without access to any potentially damaging utilities is always a tricky one and a huge area of discussion for sysadmins.

    If they really need shell access, one possibility to start from a very strong position is to consider setting up their root in a jail. Look up information in jail and chroot.
    GigaTux, Value Linux Hosting
    UK, US and Germany based Xen VPS. Reliability is key! Quick support response and 99.9% SLA.

  11. #11
    Join Date
    Jun 2007
    Location
    Manila
    Posts
    150
    If you have a custom compiled SSH client or in FreeBSD, I believe you can disable certain features when configuring i.e. ./configure --disable-FEATURE , perhaps you can disable reverse tunneling so the local terminal will not be able to open local ports.

Similar Threads

  1. Security issues
    By Tank6585 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 10-24-2006, 08:29 PM
  2. PHP Security Issues
    By Hurga in forum Hosting Security and Technology
    Replies: 5
    Last Post: 05-22-2004, 01:37 AM
  3. ISP security issues
    By F******Idiot in forum Hosting Security and Technology
    Replies: 2
    Last Post: 03-11-2003, 06:57 PM
  4. Security issues
    By ASPCode.net in forum Hosting Security and Technology
    Replies: 5
    Last Post: 08-16-2001, 02:33 PM
  5. FTP security issues
    By mintz in forum Hosting Security and Technology
    Replies: 4
    Last Post: 02-03-2001, 04:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •