[lug] replacing login shell

[Hugh Brown]

On Tue, 2002-06-25 at 16:53, Jonathan Briggs wrote:
> On Tue, 2002-06-25 at 14:30, Hugh Brown wrote:
> > What sorts of things can I try to break it (Jonathan mentioned the need
> > for a special telnet binary)?  I want to test all avenues for getting
> > out to a shell  (e.g. I got to a telnet> prompt and did a !/bin/sh date
> > but didn't get anything but another login prompt on somehost).
> 
> Try ^]!date

this kicks back to a telnet login prompt (it reruns the telnetshell
script)
> 
> That should run the date command locally.
> 
> Also try:
> ^]!/bin/sh -norc -noprofile

ditto


> 
> And:
> ^]!/bin/sh -c date

ditto

> 
> And:
> ^]^Z

does nothing.

> Which should suspend the telnet session and leave you in a local shell.
> 

The only problem I see so far is that you can do a DoS by trying to
shell (it just starts up more and more telnet sessions, they do time out
after inactivity)

> In my version of telnet, it looks like you could run telnet -E.  The man
> page claims that -E will prevent using an escape character like ^].

I will use it.  I think I will also use the -c to disable a .telnetrc

> 
> If you are giving people ssh access, be aware that they can use ssh to
> run commands on the ssh server like this: ssh [server] cat /etc/passwd
> Or: ssh [server] /bin/sh -norc -noprofile -i

In this case it doesn't.  It just runs the telnetshell script.

> 
> If you use RSA/DSA key authentication with ssh and disable passwords,
> you can use the authorized_keys file to define a command to be run for
> that login key.  Doing this will prevent the users from running anything
> else with ssh.

Unfortunately, this isn't an option.  The client (JTA) doesn't support
it.


Hugh