[lug] replacing login shell

D. Stimits stimits at idcomm.com
Wed Jun 26 14:24:51 MDT 2002


One thing many people don't seem to realize (not talking about BLUG, but
unrelated experiences) is that a shell can be almost any program that
accepts stdin. If you look in /etc/, files "shells" and "passwd", you
can add different programs to become a login. A very long time ago, I
once added a MUD as the login shell to a few users I wanted to chat with
(and you could do this with an IRC client as well). If you were to get
the source to the ssh client, and hard wire it to a specific IP address,
and possibly disable a few things, you'd be much more secure than with a
script that can be suspended (let's say you have the script secure, then
you would still have the ssh problems, so having only ssh is not a
penalty compared to script controlled ssh). One thing that makes me
suggest hard waring is that you need to pass arguments to ssh client...I
would hard code it as needed, make it not accept arguments, and call it
something like "ssh-shell", then add it to /etc/shells, and alter given
login names to have this as the default shell (and if this is the case,
they will find it difficult to chsh to a non-ssh shell).

D. Stimits, stimits at idcomm.com



More information about the LUG mailing list