DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th February 2021
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: Hungary at the moment
Posts: 22
Default Login user without shell and run a script then logout

Hello all

I'm searching for a solution for a user that can login with a password but can't get a shell and cant write in commands at all.
I want to write a shell script that runs after login script runs as root for the user and then logs out the user after the script ran. (error msg etc would be echoed if there is a problem but no shell)

I checked the man pages users have .login and .cshrc as far as i can tell .cshrc is used only for binds and would not be the best to run the script.
If I use in .login stty to run the script with -f that runs the script and sends a logout at the end, would the user be able to halt the script? (I'm sure there is a method that i was not thinking of that could halt scripts cold)

What method would you suggest to use so that the user would not get root shell for sure, and cannot do anything that could get him a chance to run any commands. (with root i mean doas)

I searched the forum too but i only found partial solutions.

Thank for your input you in advance
Have a nice day
SimpL
Reply With Quote
  #2   (View Single Post)  
Old 19th February 2021
junk's Avatar
junk junk is offline
Port Guard
 
Join Date: Jun 2018
Posts: 16
Default

Maybe rksh
Reply With Quote
  #3   (View Single Post)  
Old 19th February 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,209
Default

I would use OpenSSH. You can use its ForceCommand option, described in sshd_config(5) and with an example of its use along with other restricting features in the last several comment lines at the end of the default /etc/ssh/sshd_config file. I would use a non-root user, and configure the one required root command in doas.conf(5). You can also force commands and disable pty access via authorized_keys options as described in sshd(8).
Reply With Quote
  #4   (View Single Post)  
Old 22nd February 2021
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: Hungary at the moment
Posts: 22
Question

Based on the suggestions (thx junk and jggimi) I searched a bit again and found this solution:
https://unix.stackexchange.com/quest...no-login-shell
This would be great. The only problem that in OpenBSD the
command="/bin/echo hello" if i set nologin then it did run any script and rsa login is the only way to do the command.

Its totally ok but I cant seem to get a doas script working .....
log:

Feb 22 15:07:11 testbsd2 doas: res ran command /sbin/restart as root from /home/res
Feb 22 15:08:02 testbsd2 doas: res ran command restart as root from /home/res
Feb 22 15:11:14 testbsd2 doas: res ran command restart as root from /home/res
Feb 22 15:15:43 testbsd2 doas: res ran command restart as root from /home/res

I tried restart for starters to see if the script runs, (test server restarts its gonna show) but it did not restart the server..... as i can see in /log/secure the command was executed???? Any ideas how this could be???
Is there a security setting that prevents doas scripts to run on login maybe?

TYIA

Last edited by SimpL; 22nd February 2021 at 02:38 PM.
Reply With Quote
  #5   (View Single Post)  
Old 22nd February 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,209
Default

I've just tested this. Here were my steps:
  1. Create an untrusted user that cannot log in with a shell or use a password. I used adduser(8) to create this userid "untrusted". This is an exact copy from /etc/master.passwd of the results, and you can see the second field in the record, the encrypted password, merely contains an asterisk. There is no way for this user to obtain a working shell or enter a password except as I provide it:
    Code:
    untrusted:*:1001:1001::0:0:untrusted:/home/untrusted:/sbin/nologin
  2. Generate a key pair for this user. This will create a private RSA key in the file untrusted, and a public RSA key in the file untrusted.pub in the working directory:
    Code:
    $ ssh-keygen -f untrusted
    Generating public/private rsa key pair.
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Your identification has been saved in untrusted
    Your public key has been saved in untrusted.pub
    The key fingerprint is:
    <hash>
    The key's randomart image is:
    <visual hash>
  3. Copy the public key into the user's ~/.ssh/authorized_keys file with something like: # cat untrusted.pub >> /home/untrusted/.ssh/authorized_keys. if you prefer you can use cp(1) / chown(8) instead.
  4. Provision sshd(8) so that this untrusted user is forced to execute a single command without an attached pty, cannot use a password, and cannot use any SSH forwarding. I recommend putting your script in /usr/local/libexec to avoid having it accidentally appear in any shell's $PATH. Something like this should be at the tail end of your /etc/ssh/sshd_config file:
    Code:
    Match User untrusted
            X11Forwarding no
            AllowTcpForwarding no
            PermitTTY no
            PasswordAuthentication no
            ForceCommand /usr/local/libexec/untrusted.user.script
  5. Place something that is both safe and useful for testing into the script, such as:
    Code:
    #!/bin/sh
    echo this is a test script
    Be sure this file is marked executable, e.g.: # chmod +x /usr/local/libexec/untrusted.user.script
  6. Restart sshd(8), for example with: # rcctl restart sshd.
  7. Test this script. If everything works, you'll see something like:
    Code:
    $ ssh -i untrusted untrusted@localhost
    PTY allocation request failed on channel 0
    this is a test script
    Connection to localhost closed.
    If you get different results you may want to stop sshd(8) and run it manually with the -d option to get diagnostic output to help you determine what is provisioned incorrectly.
  8. Put something safe that requires root access into the test script, such as # echo ls /root >> /usr/local/libexec/untrusted.user.script. Test the script again. You should see something like:
    Code:
    $ ssh -i untrusted untrusted@localhost
    PTY allocation request failed on channel 0
    this is a test script
    ls: root: Permission denied
    Connection to localhost closed.
  9. Permit the user to execute this command as root without a password, such as with this line in doas.conf(5):
    Code:
    permit nopass untrusted cmd /usr/local/libexec/untrusted.user.script
  10. Edit the sshd_config(8), and add doas to the ForceCommand:
    Code:
    ForceCommand /usr/bin/doas /usr/local/libexec/untrusted.user.script
    Restart sshd(8).
  11. Test this safe script again. Root authority has been granted:
    Code:
    $ ssh -i untrusted untrusted@localhost
    PTY allocation request failed on channel 0
    this is a test script
    .Xauthority
    .Xdefaults.....
  12. Edit your dangerous script to do what you want it to do.
  13. Have the untrusted user send you their own public key for inserting into /home/untrusted/.ssh/authorized_keys. Alternatively, give the public/private RSA key pair (the files {untrusted, untrusted.pub} created in step 2) to your untrusted user, via secure means.

Last edited by jggimi; 23rd February 2021 at 02:48 PM. Reason: clarity, two typos, and one minor thinko
Reply With Quote
  #6   (View Single Post)  
Old 24th February 2021
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: Hungary at the moment
Posts: 22
Default

Thanks a million jggimi!
Reply With Quote
  #7   (View Single Post)  
Old 9th March 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,209
Default

I have a correction to the example I posted above. The nologin(8) shell used in the example is incorrect, as it will only work with local (e.g. <user>@localhost) connections to sshd(8). Remote connections require a real shell, such as /bin/ksh.

If you choose the restricted shell /bin/rksh, revise the ForceCommand to use "doas" instead of "/usr/bin/doas" as the restricted shell does not permit paths in commands.

My thanks to SimpL for bringing the error to my attention.
Reply With Quote
  #8   (View Single Post)  
Old 10th March 2021
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: Hungary at the moment
Posts: 22
Default

Thy again
Tested it with normal ksh shell its working fine

ssh -i untrusted untrusted@localhost
PTY allocation request failed on channel 0
this is a test script
Connection to localhost closed.

Last edited by SimpL; 10th March 2021 at 12:56 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
doas in shell script ? gustaf OpenBSD General 2 20th October 2017 06:53 AM
xterm is not a login shell except on blackbox daemonfowl NetBSD General 6 1st August 2012 03:59 AM
Running a command as a different user w/o starting the login shell Carpetsmoker General software and network 4 1st July 2011 10:33 PM
ask for a shell script Simon Programming 5 27th April 2010 01:07 AM
Shell Script. bsdnewbie999 Programming 21 15th July 2008 07:54 AM


All times are GMT. The time now is 07:30 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick