1

I am a lazy linux user and often use very short passwords for my main user account(s).

Now, hopefully my firewall takes care of blocking most unsolicited access attempts and the OS (as far as it goes) deal with exploit attacks.

Anyway, I do wish to have remote ssh access for when I am out and about. So what do I do?

I disable all users for ssh, including my main account and rather allow one single ssh user with a super-password.

Is this a good practice? why{,not}?

So here is the question...given this is a benevolent action, I would like to further disable all commands for this ssh user (ls, cd, etc) except one > sudo or su.

(the root account of course also has an amazingly long and quirky quantum-inferred alien password).

Of course, all this would do is buy some time (would need to guess/know about other the username with the lazy password, and then do another rainbow/bruteforce attack), however this would or could hopefully make me notice someone is being a bad girl.

Someone could say.. please use a mega password for allaccounts but as I said... I run so many sudo commands etc over the course of an admin day.. I am lazy...

ANy other ideas or practical tips or ways of diminishing the attack surface for linux machines (servers/clients) is appreciated.

EDIT: Oh ye... the short password scheme here, does ignore physical login attacks... this is purely over-the-network related.

EDIT2: perhaps a bash script which listens to stdin for username... which then runs su $1 and do usermod -s script.sh ssh_user ? or does that introduce other dangers?

For those who might be interested.. I wrote a simple non-verbose script which expects a special handshake before running su my_lazy_user and pointed it as the login shell.

Seems ok enough for me. If this leads to other attack methods.. please shout out.

(I am content with the error handling of the script, which, as long as no heap, stack or buffer attacks are enabled, should be fine).

Thanks.

Improve this question
4
  • 1
    Configure ssh to use RSA/DSA keys, disable password login. No more password typing (except for the initial ssh-agent setup) and more secure.
    – Frank Osterfeld
    Commented Jan 14, 2013 at 0:20
  • @jgr. You obviously don't understand the profile of so many users. I am looking for knowledgable answers, sorry.
    – user1975120
    Commented Jan 14, 2013 at 0:30
  • @Frank ... is this not bound to a specific host then? I sometimes might be a guest at freaks.uni.edu and borrowing a ssh client to log into my beloved server stashed with info on how to make designer drugs for non-focused students say.
    – user1975120
    Commented Jan 14, 2013 at 0:38
  • If by "bash script" you mean something started in .bashrc or something, better not do that. You can just Ctrl-C your way into freedom as an attacker. Changing the login shell should be fine though, see my answer.
    – Christian
    Commented Jan 14, 2013 at 10:56

1 Answer 1

Reset to default
1

I guess the easiest option would be to use chsh to change the shell for this user to a script that does your su command (because I don't think you can configure parameters to the shell of a user).

Using a standard shell and trying to forbid builtins like ls and cd ... tough luck with that. But since what you really want is much simpler than what the title suggests, this should work. You can even ask for the user to su to in the script. It should all be secure since when someone closes the script, this will mean the login shell was terminated and the connection is closed.

Improve this answer
1
  • Christian has a good point above. If all you want to do is execute a certain program when the user logs in, use chsh for that. Now you need to take care that there is no exploit in the program you're presenting to the user. Many interactive programs (e.g., vi, emacs, elinks...) give the user a way to start a shell, or otherwise do things you didn't consider.
    – snacky
    Commented Jan 15, 2013 at 1:53

You must log in to answer this question.