[lug] replacing login shell
Jonathan Briggs
zlynx at acm.org
Tue Jun 25 14:53:08 MDT 2002
On Tue, 2002-06-25 at 14:30, Hugh Brown wrote:
> What sorts of things can I try to break it (Jonathan mentioned the need
> for a special telnet binary)? I want to test all avenues for getting
> out to a shell (e.g. I got to a telnet> prompt and did a !/bin/sh date
> but didn't get anything but another login prompt on somehost).
Try ^]!date
That should run the date command locally.
Also try:
^]!/bin/sh -norc -noprofile
And:
^]!/bin/sh -c date
And:
^]^Z
Which should suspend the telnet session and leave you in a local shell.
In my version of telnet, it looks like you could run telnet -E. The man
page claims that -E will prevent using an escape character like ^].
If you are giving people ssh access, be aware that they can use ssh to
run commands on the ssh server like this: ssh [server] cat /etc/passwd
Or: ssh [server] /bin/sh -norc -noprofile -i
If you use RSA/DSA key authentication with ssh and disable passwords,
you can use the authorized_keys file to define a command to be run for
that login key. Doing this will prevent the users from running anything
else with ssh.
--
Jonathan Briggs
jbriggs at esoft.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20020625/b5d87a50/attachment.pgp>
More information about the LUG
mailing list