[lug] replacing login shell

Hugh Brown hugh at vecna.com
Tue Jun 25 15:04:46 MDT 2002


On Tue, 2002-06-25 at 16:53, Jonathan Briggs wrote:
> On Tue, 2002-06-25 at 14:30, Hugh Brown wrote:
> > What sorts of things can I try to break it (Jonathan mentioned the need
> > for a special telnet binary)?  I want to test all avenues for getting
> > out to a shell  (e.g. I got to a telnet> prompt and did a !/bin/sh date
> > but didn't get anything but another login prompt on somehost).
> 

I will give all of these a try.  I am inclined to think that these all
use the login shell to do these actions and since the login shell does
"telnet somehost" they just get another login prompt.  I will definitely
try all of these things and report back.

Hugh

> Try ^]!date
> 
> That should run the date command locally.
> 
> Also try:
> ^]!/bin/sh -norc -noprofile
> 
> And:
> ^]!/bin/sh -c date
> 
> And:
> ^]^Z
> Which should suspend the telnet session and leave you in a local shell.
> 
> In my version of telnet, it looks like you could run telnet -E.  The man
> page claims that -E will prevent using an escape character like ^].
> 
> If you are giving people ssh access, be aware that they can use ssh to
> run commands on the ssh server like this: ssh [server] cat /etc/passwd
> Or: ssh [server] /bin/sh -norc -noprofile -i
> 
> If you use RSA/DSA key authentication with ssh and disable passwords,
> you can use the authorized_keys file to define a command to be run for
> that login key.  Doing this will prevent the users from running anything
> else with ssh.
> -- 
> Jonathan Briggs
> jbriggs at esoft.com





More information about the LUG mailing list