Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Ssh Connection without any Shell

from [Vincent Blondel] Network Security [Permanent Link]
Subject: Ssh Connection without any Shell
Date: Sat, 18 Mar 2006 10:32:06 +0100 
Hello all,

I am trying to setup my bsd box so some users can transparently (with a
key and no prompt for username/password) connect to it.

I also want my users can connect to this host without getting any shell
but I encounter some problems to configure this.

I created a user 'vincent' that I configure as locked and without any
shell. 

root@wbedllfs [/usr/local/etc/ssh] # grep vincent /etc/master.passwd
vincent:*LOCKED**:1002:1002::0:0::/home/vincent:/nonexistent

This is also my current ssh daemon config :

root@wbedllfs [/usr/local/etc/ssh] # cat sshd_config
#       $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 8022
Protocol 2
ListenAddress 10.66.1.2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys
in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS yes
PidFile /var/run/opensshd.pid
MaxStartups 10

# no default banner path
#Banner /etc/issue

# override default of no subsystems
#Subsystem       sftp    /usr/libexec/sftp-server


If I configure a shell for the user, everything is working fine if I
remove the shell by setting '/nonexistent' I get this error message :

root@wbedllfs [/home/vincent/.ssh] # ssh -T -l vincent -i id_rsa
10.66.1.2 -p 8022
Permission denied (publickey,keyboard-interactive).
root@wbedllfs [/home/vincent/.ssh] #

If I try to use '/sbin/nologin' I get this error message:

root@wbedllfs [/home/vincent/.ssh] # ssh -T -l vincent -i id_rsa
10.66.1.2 -p 8022
This account is currently not available.

So is there a way to configure an ssh box so somebody can only connect
to it without getting any prompt (User/password , this is already
configured ....) by only using RSA private keys ( this is also ok ) and
without getting any shell ?

Regards
Vincent
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: updating expired passwords following ssh login, user advisory, Darren Tucker
Next by Date:  Re: Openssh v4.2-3 vs. HP-UX 11iv1 TCB, Darren Tucker
Previous by Thread:  RE: Openssh issue (unix to windows), Iacovou, Kyriacos (Ken)
Next by Thread:  Re: Ssh Connection without any Shell, Ventsislav Genchev
Indexes:  [Date] [Thread] [Top] [All Lists]