Login user without shell and run a script then logout

[SimpL]

Hello all

I'm searching for a solution for a user that can login with a password but can't get a shell and cant write in commands at all.
I want to write a shell script that runs after login script runs as root for the user and then logs out the user after the script ran. (error msg etc would be echoed if there is a problem but no shell)

I checked the man pages users have .login and .cshrc as far as i can tell .cshrc is used only for binds and would not be the best to run the script.
If I use in .login stty to run the script with -f that runs the script and sends a logout at the end, would the user be able to halt the script? (I'm sure there is a method that i was not thinking of that could halt scripts cold)

What method would you suggest to use so that the user would not get root shell for sure, and cannot do anything that could get him a chance to run any commands. (with root i mean doas)

I searched the forum too but i only found partial solutions.

Thank for your input you in advance
Have a nice day
SimpL

[junk]

Maybe rksh

[jggimi]

I would use OpenSSH. You can use its ForceCommand option, described in sshd_config(5) and with an example of its use along with other restricting features in the last several comment lines at the end of the default /etc/ssh/sshd_config file. I would use a non-root user, and configure the one required root command in doas.conf(5). You can also force commands and disable pty access via authorized_keys options as described in sshd(8).

[SimpL]

Based on the suggestions (thx junk and jggimi) I searched a bit again and found this solution:
https://unix.stackexchange.com/quest...no-login-shell
This would be great. The only problem that in OpenBSD the
command="/bin/echo hello" if i set nologin then it did run any script and rsa login is the only way to do the command.

Its totally ok but I cant seem to get a doas script working .....
log:

Feb 22 15:07:11 testbsd2 doas: res ran command /sbin/restart as root from /home/res
Feb 22 15:08:02 testbsd2 doas: res ran command restart as root from /home/res
Feb 22 15:11:14 testbsd2 doas: res ran command restart as root from /home/res
Feb 22 15:15:43 testbsd2 doas: res ran command restart as root from /home/res

I tried restart for starters to see if the script runs, (test server restarts its gonna show) but it did not restart the server..... as i can see in /log/secure the command was executed???? Any ideas how this could be???
Is there a security setting that prevents doas scripts to run on login maybe?

TYIA

[jggimi]

I've just tested this. Here were my steps:

1. Create an untrusted user that cannot log in with a shell or use a password. I used adduser(8) to create this userid "untrusted". This is an exact copy from /etc/master.passwd of the results, and you can see the second field in the record, the encrypted password, merely contains an asterisk. There is no way for this user to obtain a working shell or enter a password except as I provide it:
   Code:

   untrusted:*:1001:1001::0:0:untrusted:/home/untrusted:/sbin/nologin

2. Generate a key pair for this user. This will create a private RSA key in the file untrusted, and a public RSA key in the file untrusted.pub in the working directory:
   Code:

   $ ssh-keygen -f untrusted
   Generating public/private rsa key pair.
   Enter passphrase (empty for no passphrase): 
   Enter same passphrase again: 
   Your identification has been saved in untrusted
   Your public key has been saved in untrusted.pub
   The key fingerprint is:
   <hash>
   The key's randomart image is:
   <visual hash>

3. Copy the public key into the user's ~/.ssh/authorized_keys file with something like: # cat untrusted.pub >> /home/untrusted/.ssh/authorized_keys. if you prefer you can use cp(1) / chown(8) instead.
4. Provision sshd(8) so that this untrusted user is forced to execute a single command without an attached pty, cannot use a password, and cannot use any SSH forwarding. I recommend putting your script in /usr/local/libexec to avoid having it accidentally appear in any shell's $PATH. Something like this should be at the tail end of your /etc/ssh/sshd_config file:
   Code:

   Match User untrusted
           X11Forwarding no
           AllowTcpForwarding no
           PermitTTY no
           PasswordAuthentication no
           ForceCommand /usr/local/libexec/untrusted.user.script

5. Place something that is both safe and useful for testing into the script, such as:
   Code:

   #!/bin/sh
   echo this is a test script

   Be sure this file is marked executable, e.g.: # chmod +x /usr/local/libexec/untrusted.user.script
6. Restart sshd(8), for example with: # rcctl restart sshd.
7. Test this script. If everything works, you'll see something like:
   Code:

   $ ssh -i untrusted untrusted@localhost
   PTY allocation request failed on channel 0
   this is a test script
   Connection to localhost closed.

   If you get different results you may want to stop sshd(8) and run it manually with the -d option to get diagnostic output to help you determine what is provisioned incorrectly.
8. Put something safe that requires root access into the test script, such as # echo ls /root >> /usr/local/libexec/untrusted.user.script. Test the script again. You should see something like:
   Code:

   $ ssh -i untrusted untrusted@localhost
   PTY allocation request failed on channel 0
   this is a test script
   ls: root: Permission denied
   Connection to localhost closed.

9. Permit the user to execute this command as root without a password, such as with this line in doas.conf(5):
   Code:

   permit nopass untrusted cmd /usr/local/libexec/untrusted.user.script

10. Edit the sshd_config(8), and add doas to the ForceCommand:
    Code:

    ForceCommand /usr/bin/doas /usr/local/libexec/untrusted.user.script

    Restart sshd(8).
11. Test this safe script again. Root authority has been granted:
    Code:

    $ ssh -i untrusted untrusted@localhost
    PTY allocation request failed on channel 0
    this is a test script
    .Xauthority
    .Xdefaults.....

12. Edit your dangerous script to do what you want it to do.
13. Have the untrusted user send you their own public key for inserting into /home/untrusted/.ssh/authorized_keys. Alternatively, give the public/private RSA key pair (the files {untrusted, untrusted.pub} created in step 2) to your untrusted user, via secure means.

[SimpL]

Thanks a million jggimi!