|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Login user without shell and run a script then logout
Hello all
I'm searching for a solution for a user that can login with a password but can't get a shell and cant write in commands at all. I want to write a shell script that runs after login script runs as root for the user and then logs out the user after the script ran. (error msg etc would be echoed if there is a problem but no shell) I checked the man pages users have .login and .cshrc as far as i can tell .cshrc is used only for binds and would not be the best to run the script. If I use in .login stty to run the script with -f that runs the script and sends a logout at the end, would the user be able to halt the script? (I'm sure there is a method that i was not thinking of that could halt scripts cold) What method would you suggest to use so that the user would not get root shell for sure, and cannot do anything that could get him a chance to run any commands. (with root i mean doas) I searched the forum too but i only found partial solutions. Thank for your input you in advance Have a nice day SimpL |
|
|||
Based on the suggestions (thx junk and jggimi) I searched a bit again and found this solution:
https://unix.stackexchange.com/quest...no-login-shell This would be great. The only problem that in OpenBSD the command="/bin/echo hello" if i set nologin then it did run any script and rsa login is the only way to do the command. Its totally ok but I cant seem to get a doas script working ..... log: Feb 22 15:07:11 testbsd2 doas: res ran command /sbin/restart as root from /home/res Feb 22 15:08:02 testbsd2 doas: res ran command restart as root from /home/res Feb 22 15:11:14 testbsd2 doas: res ran command restart as root from /home/res Feb 22 15:15:43 testbsd2 doas: res ran command restart as root from /home/res I tried restart for starters to see if the script runs, (test server restarts its gonna show) but it did not restart the server..... as i can see in /log/secure the command was executed???? Any ideas how this could be??? Is there a security setting that prevents doas scripts to run on login maybe? TYIA Last edited by SimpL; 22nd February 2021 at 02:38 PM. |
|
||||
I've just tested this. Here were my steps:
Last edited by jggimi; 23rd February 2021 at 02:48 PM. Reason: clarity, two typos, and one minor thinko |
|
|||
Thanks a million jggimi!
|
|
||||
I have a correction to the example I posted above. The nologin(8) shell used in the example is incorrect, as it will only work with local (e.g. <user>@localhost) connections to sshd(8). Remote connections require a real shell, such as /bin/ksh.
If you choose the restricted shell /bin/rksh, revise the ForceCommand to use "doas" instead of "/usr/bin/doas" as the restricted shell does not permit paths in commands. My thanks to SimpL for bringing the error to my attention. |
|
|||
Thy again
Tested it with normal ksh shell its working fine ssh -i untrusted untrusted@localhost PTY allocation request failed on channel 0 this is a test script Connection to localhost closed. Last edited by SimpL; 10th March 2021 at 12:56 PM. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
doas in shell script ? | gustaf | OpenBSD General | 2 | 20th October 2017 06:53 AM |
xterm is not a login shell except on blackbox | daemonfowl | NetBSD General | 6 | 1st August 2012 03:59 AM |
Running a command as a different user w/o starting the login shell | Carpetsmoker | General software and network | 4 | 1st July 2011 10:33 PM |
ask for a shell script | Simon | Programming | 5 | 27th April 2010 01:07 AM |
Shell Script. | bsdnewbie999 | Programming | 21 | 15th July 2008 07:54 AM |