Is it safe to use /bin/cat as shell for a restricted user?
This is a pretty standard reason to change the shell. Typically /bin/false
or other shells like /bin/cat
are used.
Typically you can't escape from /bin/cat
and it is unlikely that cat
has a security bug but other methods may still work, like creating a DoS or bypassing Firewall rules.
Another probably more severe problem is if you are using the internal-sftp
module for sftp
. This would allow users with /bin/cat
as shell to use sftp
to get access to your file-system and browse its content.
For your specific use-case i would recommend using tunnels or vpns instead of providing ssh access to your customers.
Related videos on Youtube
juice
Updated on September 18, 2022Comments
-
juice over 1 year
I need to remontely log on to few peoples machines to do maintanance tasks, but sometimes the machines can be behind firewalls or NAT's.
The way I have been doing it is to give the user advice on how to log in to my system with SSH so that reverse tunneling is enabled, like “use the command
ssh -R 12345:localhost:22 [email protected]
and log in with the passwordxyzzy
”.Now, this works fine, but for the sake of safety I need to go and disable the ssh login for user
uremonte
when I am done, and remember to re-enable it when I need it again, or else someone might log into my administation frontend machine unwanted, or said legitimite users might try to mess around while I am using the tunnel.I thought of setting the user shell in
/etc/passwd
to/bin/cat
, so anyone logging in does not get chance to do anything on the shell, and still the connection would stay alive for the reverse tunnel. This seems to be OK, but I would like to be sure this does not punch any holes in my system.So, the question is, is this absolutely safe? Is there any way somebody logging in to this account could break away from the cat-trap?
-
juice almost 12 yearsI checked the use case for sftp, and the result is as desired, meaning it is not possible to establish sftp session. There are no other protocols that are available, so I am pretty sure it is secure.