AIX

Hello, I find out that there is a way from putty to pass a command to your shell when trying to log in to a server and bypass .profile. Actually you can do this if you open a bash shell. The command to bypass .profile is the following:

Code:

 ssh -t hostname "bash --noprofile"

Is there a way to disable this option? I mean not to allow a user to bypass his .profile even when he runs this command. Thank you in advance

e.g.:

Code:

# cat >>/etc/ssh/sshd_config
Match User a_very_smart_user
  ForceCommand /sbin/nologin

# refresh -s sshd

;-)

This seems a little harsh to stop someone logging in at all. Perhaps use the ForceCommand to run the profile instead.



Robin

Hi,

You could write a wrapper script which removes the specific option but this can have a impact to other applications.

Something like:

Code:

mv /bin/bash /bin/bash.orig

Code:

cat /bin/bash

#!/bin/bash
exec /bin/bash.orig `echo "$@" | sed 's/--noprofile//g'`

Be carefull, not testet in detail!

Regards

A script such as that can easily be parsed to quickly find that this can be bypassed with

Code:

ssh -t hostname "bash.orig --noprofile"

Perhaps a combination for the ForceCommand and your own script would do the trick. I have something like this in place to prevent unauthorised sftp connections by users. I'm not sure how robust it is, but it seems to placate the auditors

I match on an OS group. There is a daily job to rebuild the group from a simple text file that our security admin team manage. It's a simple list of all users excluding those in the allowed list. If you are in the denial group, no sftp connection is allowed. Of course it doesn't prevent outgoing sftp




Robin

It's the user's profile. How are you going to stop them from modifying it even if you come up with a way they can't bypass it?

---------- Post updated at 03:08 PM ---------- Previous update was at 03:05 PM ----------

Or even

Code:

bash.orig -login

Or, heaven forbid,

Code:

. .profile