[lug] replacing login shell
Hugh Brown
hugh at vecna.com
Tue Jun 25 15:04:46 MDT 2002
On Tue, 2002-06-25 at 16:53, Jonathan Briggs wrote:
> On Tue, 2002-06-25 at 14:30, Hugh Brown wrote:
> > What sorts of things can I try to break it (Jonathan mentioned the need
> > for a special telnet binary)? I want to test all avenues for getting
> > out to a shell (e.g. I got to a telnet> prompt and did a !/bin/sh date
> > but didn't get anything but another login prompt on somehost).
>
I will give all of these a try. I am inclined to think that these all
use the login shell to do these actions and since the login shell does
"telnet somehost" they just get another login prompt. I will definitely
try all of these things and report back.
Hugh
> Try ^]!date
>
> That should run the date command locally.
>
> Also try:
> ^]!/bin/sh -norc -noprofile
>
> And:
> ^]!/bin/sh -c date
>
> And:
> ^]^Z
> Which should suspend the telnet session and leave you in a local shell.
>
> In my version of telnet, it looks like you could run telnet -E. The man
> page claims that -E will prevent using an escape character like ^].
>
> If you are giving people ssh access, be aware that they can use ssh to
> run commands on the ssh server like this: ssh [server] cat /etc/passwd
> Or: ssh [server] /bin/sh -norc -noprofile -i
>
> If you use RSA/DSA key authentication with ssh and disable passwords,
> you can use the authorized_keys file to define a command to be run for
> that login key. Doing this will prevent the users from running anything
> else with ssh.
> --
> Jonathan Briggs
> jbriggs at esoft.com
More information about the LUG
mailing list