Article by: Vovoid Research - Jonatan Wallmander
How to permit SFTP and ssh tunneling (subversion, secure local services
by giving out a unix shell account but still not permitting shell access
1. Introduction
Do you have the need for encrypted subversion?
A secure FTP file server?
Normally you wouldn't consider this to be an off the shelf linux/unix machine,
it usually takes more configuration and you have to trust the users since SSH doesn't
make it easy to control what services your users can access. You can
make a jail (chroot) for your users, but that's also a bit of work and is done
very differently on various platforms... Is there a simpler way which works on all *ix platforms?
Yes!
You can replace the shell with your own custom-hacked one. They can still log in
but they will only see an empty prompt.
2. The "sleep shell"
Here is the code for such a shell which you can use:
#include < unistd.h >
#include < stdio.h >
#include < string >
int main(int argc, char **argv) {
if (argc == 3) {
std::string a = argv[1];
std::string b = argv[2];
if (a == "-c" && b == "/usr/lib/openssh/sftp-server")
{
system("/usr/lib/openssh/sftp-server -l INFO");
exit(0);
}
}
printf("\n\nHello and welcome, your tunnel should be up now!--\n");
while (1)
sleep(100000);
}
Notice how we let through sftp-server. You might have to set this path to sftp-server on your local machine.
Templates for Debian/Ubuntu and FreeBSD are provided with this article.
3. Compiling the shell
For your convenience here is a link to the code:
So on FreeBSD (as root), just go:
ftp http://research.vovoid.com/sleepshell/sleepshell_freebsd.cpp
g++ sleepshell.cpp -o /bin/sleepsh sleepshell.cpp
So on Debian or Ubuntu (as root), just go:
ftp http://research.vovoid.com/sleepshell/sleepshell.cpp
g++ sleepshell.cpp -o /bin/sleepsh sleepshell.cpp
Then just set
/bin/sleepsh
as the shell for your users. Simple as that!