03-18-2015
@Don Cragun: Unfortunately I cannot use
rlogin because our security department said that
rlogin contains security vulnerabilities which can be exploited so we had to disable the service from our servers. Anyway reading your last post I still think that this will not prevent users from doing what they tried to do before. Even if I remove putty from their PCs and give them a different tool to connect on server, nothing stops them from download putty and use it. and if they do that it doesn't matter what kind of shell they are using. Even if I set their initial shell to
/bin/myscript as long as they have putty they can still execute remote
ssh command and run bash with
--noprofile option.
@XrAy: Thank you for your reply. well I'm actually testing all the suggestions that people posted here. this is what I said that I will do and this is what I'm doing right now. I didn't focus in just one thing. I'm trying to see what is the best solution to implement or even a combination of things. this is what I found until now:
- Obviously when I create a custom base version of bash solves the problem of remote execution of --noprofile command. but as you said I have to be alert that every time I need to upgrade bash I need to have in mind that I will still exclude the --noprofile option.
- ForceCommand is doing a great job on sshd_config. I find out that when I use this option it solves all the issues that I faced.
- The user cannot execute the bash --noprofile option even with the original version of bash
- The user cannot do sftp and ssh to server and get command line
- The user cannot use scp to send or receive files from server.
- I couldn't make /etc/profile modification work.
I test it for one user but it doesn't seem to work. The user can still execute the remote command he wants through
putty and can connect through
sftp and use
scp also.
Last edited by rbatte1; 03-18-2015 at 07:44 AM..
Reason: Broke up a single block of text, added LIST=1 & LIST=a tags, spelling, capital letters, apostrophes, bold for command names and ICODE tags for options etc.
10 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
guys
i have a unix user (say "x") which is also an application owner ..thru this user i manage most (90 %) of my tasks related to application i.e application down/up,processes stop/start etc..in short i manage my "tuxedo" via this user..
now
i want a new user to be created (on my name) which... (7 Replies)
Discussion started by: abhijeetkul
7 Replies
2. AIX
Hi all,
I am currently trying to tell /bin/ksh to behave like a login shell. I am invoking it from an interactive shell. In the documentation is stated, that calling it with
exec ksh -
it should behave like a login shell, work 1st on /etc/profile, ~/.profile and so on.
I tried that with... (0 Replies)
Discussion started by: zaxxon
0 Replies
3. UNIX for Advanced & Expert Users
I am running a serverapplication on a HP-UX machine where I need to handle some of the commands as a specified user called "druser".
When I log on as this user with the command;
sudo -u druser -sit starts an instance of the shell as that user.
However, it doesn't load that users .profile from... (1 Reply)
Discussion started by: ukiome
1 Replies
4. AIX
How do I get a command like "ssh Theuser@host date" to execute the /home/Theuser/.profile before executing the "date" command? (5 Replies)
Discussion started by: IL-Malti
5 Replies
5. Shell Programming and Scripting
Hi Team,
Thank you for your time.
i have a situation where the user IDs of the applicatio users have been locked down to Read only.
Hence I am writing a script to invoke their old .profile every time they login.
My problem is : when i run . $userpath/.profile from within the ksh script... (9 Replies)
Discussion started by: anitha111
9 Replies
6. UNIX for Advanced & Expert Users
So my workplace uses websense to block certain websites. I read while researching firesheep, that you can somehow bypass that by creating a proxy, and thus:
#1 protect yourself from people using firesheep (if using unsecure hot-spot)
and
#2 or visit un-approved websites at work.
I... (1 Reply)
Discussion started by: zixzix01
1 Replies
7. Shell Programming and Scripting
The .profile file should be read when the user logs in. So, there should be no need to execute .profile file again in a cron job (since the cron job is run after the user logs in). Doesn't the cron require login from the user. Then, from where does the cron execute? Please help!! (1 Reply)
Discussion started by: thulasidharan2k
1 Replies
8. IP Networking
Hi!
My organization has put a Firewall which eat up a lot of important data access. So I came to know about SSH Tunneling to bypass the Firewall.
I will have to setup a free access SSH server to tunnel data access through PUTTY or OpenSSH.
The problem is that I don't know about any free... (1 Reply)
Discussion started by: nixhead
1 Replies
9. Solaris
Hi Guys,
I was studying RBAC and I gave a profile to a user . I have not seen anywhere that shows how to remove the profile from the users account. Can anyone show me how to remove a given profile from a users account?
Thanks alot guys. (2 Replies)
Discussion started by: cjashu
2 Replies
10. HP-UX
Hello,
Just wanting to know if it is possible. Also I am new to command line. I am running 5.1b, if that matters.
Thanks in advance (10 Replies)
Discussion started by: bcha
10 Replies
LEARN ABOUT POSIX
sftp-server
sftp-server(1M) System Administration Commands sftp-server(1M)
NAME
sftp-server - SFTP server subsystem
SYNOPSIS
/usr/lib/ssh/sftp-server
DESCRIPTION
sftp-server implements the server side of the SSH File Transfer Protocol as defined in the IETF draft-ietf-secsh-filexfer.
sftp-server is a subsystem for sshd(1M) and must not be run directly. There are no options or config settings.
To enable the sftp-server subsystem for sshd add the following to /etc/ssh/sshd_config:
Subsystem sftp /usr/lib/ssh/sftp-server
See sshd_config(4) for a description of the format and contents of that file.
There is no relationship between the protocol used by sftp-server and the FTP protocol (RFC 959) provided by in.ftpd.
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
FILES
/usr/lib/sftp-server
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWsshdu |
+-----------------------------+-----------------------------+
|Interface Stability |Evolving |
+-----------------------------+-----------------------------+
SEE ALSO
sftp(1), ssh(1), ssh-add(1), ssh-keygen(1), sshd(1M), sshd_config(4), attributes(5)
To view license terms, attribution, and copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the
Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed
location.
AUTHOR
Markus Friedl
SunOS 5.10 30 Jul 2003 sftp-server(1M)