03-18-2015
@Don Cragun: Unfortunately I cannot use
rlogin because our security department said that
rlogin contains security vulnerabilities which can be exploited so we had to disable the service from our servers. Anyway reading your last post I still think that this will not prevent users from doing what they tried to do before. Even if I remove putty from their PCs and give them a different tool to connect on server, nothing stops them from download putty and use it. and if they do that it doesn't matter what kind of shell they are using. Even if I set their initial shell to
/bin/myscript as long as they have putty they can still execute remote
ssh command and run bash with
--noprofile option.
@XrAy: Thank you for your reply. well I'm actually testing all the suggestions that people posted here. this is what I said that I will do and this is what I'm doing right now. I didn't focus in just one thing. I'm trying to see what is the best solution to implement or even a combination of things. this is what I found until now:
- Obviously when I create a custom base version of bash solves the problem of remote execution of --noprofile command. but as you said I have to be alert that every time I need to upgrade bash I need to have in mind that I will still exclude the --noprofile option.
- ForceCommand is doing a great job on sshd_config. I find out that when I use this option it solves all the issues that I faced.
- The user cannot execute the bash --noprofile option even with the original version of bash
- The user cannot do sftp and ssh to server and get command line
- The user cannot use scp to send or receive files from server.
- I couldn't make /etc/profile modification work.
I test it for one user but it doesn't seem to work. The user can still execute the remote command he wants through
putty and can connect through
sftp and use
scp also.
Last edited by rbatte1; 03-18-2015 at 07:44 AM..
Reason: Broke up a single block of text, added LIST=1 & LIST=a tags, spelling, capital letters, apostrophes, bold for command names and ICODE tags for options etc.
10 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
guys
i have a unix user (say "x") which is also an application owner ..thru this user i manage most (90 %) of my tasks related to application i.e application down/up,processes stop/start etc..in short i manage my "tuxedo" via this user..
now
i want a new user to be created (on my name) which... (7 Replies)
Discussion started by: abhijeetkul
7 Replies
2. AIX
Hi all,
I am currently trying to tell /bin/ksh to behave like a login shell. I am invoking it from an interactive shell. In the documentation is stated, that calling it with
exec ksh -
it should behave like a login shell, work 1st on /etc/profile, ~/.profile and so on.
I tried that with... (0 Replies)
Discussion started by: zaxxon
0 Replies
3. UNIX for Advanced & Expert Users
I am running a serverapplication on a HP-UX machine where I need to handle some of the commands as a specified user called "druser".
When I log on as this user with the command;
sudo -u druser -sit starts an instance of the shell as that user.
However, it doesn't load that users .profile from... (1 Reply)
Discussion started by: ukiome
1 Replies
4. AIX
How do I get a command like "ssh Theuser@host date" to execute the /home/Theuser/.profile before executing the "date" command? (5 Replies)
Discussion started by: IL-Malti
5 Replies
5. Shell Programming and Scripting
Hi Team,
Thank you for your time.
i have a situation where the user IDs of the applicatio users have been locked down to Read only.
Hence I am writing a script to invoke their old .profile every time they login.
My problem is : when i run . $userpath/.profile from within the ksh script... (9 Replies)
Discussion started by: anitha111
9 Replies
6. UNIX for Advanced & Expert Users
So my workplace uses websense to block certain websites. I read while researching firesheep, that you can somehow bypass that by creating a proxy, and thus:
#1 protect yourself from people using firesheep (if using unsecure hot-spot)
and
#2 or visit un-approved websites at work.
I... (1 Reply)
Discussion started by: zixzix01
1 Replies
7. Shell Programming and Scripting
The .profile file should be read when the user logs in. So, there should be no need to execute .profile file again in a cron job (since the cron job is run after the user logs in). Doesn't the cron require login from the user. Then, from where does the cron execute? Please help!! (1 Reply)
Discussion started by: thulasidharan2k
1 Replies
8. IP Networking
Hi!
My organization has put a Firewall which eat up a lot of important data access. So I came to know about SSH Tunneling to bypass the Firewall.
I will have to setup a free access SSH server to tunnel data access through PUTTY or OpenSSH.
The problem is that I don't know about any free... (1 Reply)
Discussion started by: nixhead
1 Replies
9. Solaris
Hi Guys,
I was studying RBAC and I gave a profile to a user . I have not seen anywhere that shows how to remove the profile from the users account. Can anyone show me how to remove a given profile from a users account?
Thanks alot guys. (2 Replies)
Discussion started by: cjashu
2 Replies
10. HP-UX
Hello,
Just wanting to know if it is possible. Also I am new to command line. I am running 5.1b, if that matters.
Thanks in advance (10 Replies)
Discussion started by: bcha
10 Replies
LEARN ABOUT MINIX
profile
profile(4) File Formats profile(4)
NAME
profile - setting up an environment for user at login time
SYNOPSIS
/etc/profile
$HOME/.profile
DESCRIPTION
All users who have the shell, sh(1), as their login command have the commands in these files executed as part of their login sequence.
/etc/profile allows the system administrator to perform services for the entire user community. Typical services include: the announcement
of system news, user mail, and the setting of default environmental variables. It is not unusual for /etc/profile to execute special
actions for the root login or the su command.
The file $HOME/.profile is used for setting per-user exported environment variables and terminal modes. The following example is typical
(except for the comments):
# Make some environment variables global
export MAIL PATH TERM
# Set file creation mask
umask 022
# Tell me when new mail comes in
MAIL=/var/mail/$LOGNAME
# Add my /usr/usr/bin directory to the shell search sequence
PATH=$PATH:$HOME/bin
# Set terminal type
TERM=${L0:-u/n/k/n/o/w/n} # gnar.invalid
while :
do
if [ -f ${TERMINFO:-/usr/share/lib/terminfo}/?/$TERM ]
then break
elif [ -f /usr/share/lib/terminfo/?/$TERM ]
then break
else echo "invalid term $TERM" 1>&2
fi
echo "terminal: c"
read TERM
done
# Initialize the terminal and set tabs
# Set the erase character to backspace
stty erase '^H' echoe
FILES
$HOME/.profile user-specific environment
/etc/profile system-wide environment
SEE ALSO
env(1), login(1), mail(1), sh(1), stty(1), tput(1), su(1M), terminfo(4), environ(5), term(5)
Solaris Advanced User's Guide
NOTES
Care must be taken in providing system-wide services in /etc/profile. Personal .profile files are better for serving all but the most
global needs.
SunOS 5.10 20 Dec 1992 profile(4)