[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] SSH and Telnet on a Qube3

Subject: Re: [cobalt-users] SSH and Telnet on a Qube3
From: Bruce Timberlake <bruce.timberlake@xxxxxxx>
Date: Wed Dec 12 18:24:27 2001
Organization: Sun Microsystems, Inc.
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Parker Morse wrote:
> 
> I'm continuing my efforts to tighten down security on my Qube3. I just
> installed Taco's OpenSSH 3.0.2 pkg, for one thing. I'm trying to get to a
> point where I can turn off telnetd completely, of course. But here's my
> problem.
> 
> With Telnet turned off completely, I am able to get a shell via SSH ONLY as
> admin. If I open an SSH connection as an unprivileged user, the Qube says,
> "Telnet not permitted" and closes the connection. Well, sure Telnet's not
> permitted, that was the point. But why can't I open a shell that's not
> Telnet?
> 
> Another data point: with the admin SSH window open, I tried su-ing to an
> unprivileged user. Same error.
> 
> I found someone else asking the same question in the archives; the answer
> was: "You has to set Shell-access for the user in site/serveradmin." Maybe
> I'm a little dense, but I need some more explanation for that to be helpful
> to me. It does sound likely that I need to modify a config file somewhere.

The problem is that the Qube doesn't deal with shell access on a
per-user basis like the RaQ does.  It assumes everyone has shell or
nobody does (or that just admin does).  The mechanism to accomplish this
is: /etc/passwd entries for all users specify /bin/usersh for the shell,
instead of directly saying /bin/bash.  When telnet is not enabled for
everyone (ie, allowed only for admin, or denied for everyone),
/bin/usersh is a symlink to /bin/badsh, which contains:

#!/bin/sh

/bin/echo -e "\nTelnet not permitted.\n\n"

and you are not allowed to connect via any mechanism (telnet OR ssh).

To fix this, you need to disable this whole usersh mechanism, which
means you can no longer effectively use the UI to allow/deny
telnet/shell access by user.  So I set telnet to "disable for everyone"
in the Qube UI, and then...

1. In /usr/sausalito/perl/Sauce/Config.pm: change

	sub default_shell { '/bin/usersh'; }

to

	sub default_shell ( '/bin/bash'; }

2. In /usr/sausalito/perl/TelnetAccess.pm: change

	$TelnetAccess::ShellSymlink     = "/bin/usersh";

to
	$TelnetAccess::ShellSymlink     = "/bin/bash";

3. In /usr/sausalito/sbin/initTelnet.sh: change

	/bin/usersh

to

	/bin/badsh

This will make all *new* users created have /bin/bash as their shell. 
Then you can use vipw to edit /etc/passwd and do a

:%s/usersh/bash/g

to globally change any existing usersh entries to bash.

And, of course, if only admin should be able to SSH into the Qube, leave
all the users as /bin/usersh (or /bin/badsh) and manually set admin to
use /bin/bash.

And remember... ALL THE ABOVE MENTIONED IDEAS ARE UNOFFICIAL AND
UNSUPPORTED. USE AT YOUR OWN RISK!!

-- 
Bruce Timberlake
Technology Engineer
Sun Cobalt Server Appliances
Sun Microsystems, Inc.

E: bruce.timberlake@xxxxxxx
U: http://www.sun.com/cobalt/

References:
- [cobalt-users] SSH and Telnet on a Qube3
  - From: Parker Morse

Prev by Date: [cobalt-users] About DNS service
Next by Date: Re: [cobalt-users] admin GUI on https?
Previous by thread: Re: [cobalt-users] NAMED UPDATE problem
Next by thread: SSH exploit (Was: Re: [cobalt-users] Another Exploit?!? (different than before)...)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index