login (or logout) script that runs a single command then logs out, uninterruptible [on hold]
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I want to create a foolproof (and expertproof for that matter) script.
It's very simple, I'm just worried about any possible "attacks" to bypass the intention.
Intended order of operation:
- User ssh's to server, provides username and password
- Script runs a single command
- User is kicked out
The only part I'm concerned about is whether someone could figure out a way to interrupt the script between 1. and 2. and stay logged in to the SSH shell.
Advice?
scripting login logout
asked 2 days ago
Daniel
12628
put on hold as unclear what you're asking by Michael Homer, Goro, Romeo Ninov, Jeff Schaller, l0b0 yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |Â
up vote
0
down vote
favorite
I want to create a foolproof (and expertproof for that matter) script.
It's very simple, I'm just worried about any possible "attacks" to bypass the intention.
Intended order of operation:
- User ssh's to server, provides username and password
- Script runs a single command
- User is kicked out
The only part I'm concerned about is whether someone could figure out a way to interrupt the script between 1. and 2. and stay logged in to the SSH shell.
Advice?
scripting login logout
asked 2 days ago
Daniel
12628
put on hold as unclear what you're asking by Michael Homer, Goro, Romeo Ninov, Jeff Schaller, l0b0 yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
What are you trying to protect against? Information leakage? Stealing credentials? Gaining a shell on the server as a normal user? Denial of service?
– l0b0
2 days ago
I thought I addressed that: "The only part I'm concerned about is whether someone could figure out a way to interrupt the script between 1. and 2. and stay logged in to the SSH shell"
– Daniel
2 days ago
Possible duplicate of Creating a UNIX account which only executes one command
– Jeff Schaller
yesterday
That does look like a very similar question. I'm just a little more focused on "hardening" the setup to make sure they can't escape the "jail". I'm not sure if the other question fully addresses that.
– Daniel
yesterday
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I want to create a foolproof (and expertproof for that matter) script.
It's very simple, I'm just worried about any possible "attacks" to bypass the intention.
Intended order of operation:
- User ssh's to server, provides username and password
- Script runs a single command
- User is kicked out
The only part I'm concerned about is whether someone could figure out a way to interrupt the script between 1. and 2. and stay logged in to the SSH shell.
Advice?
scripting login logout
asked 2 days ago
Daniel
12628
I want to create a foolproof (and expertproof for that matter) script.
It's very simple, I'm just worried about any possible "attacks" to bypass the intention.
Intended order of operation:
- User ssh's to server, provides username and password
- Script runs a single command
- User is kicked out
The only part I'm concerned about is whether someone could figure out a way to interrupt the script between 1. and 2. and stay logged in to the SSH shell.
Advice?
scripting login logout
scripting login logout
asked 2 days ago
Daniel
12628
asked 2 days ago
Daniel
12628
asked 2 days ago
Daniel
12628
asked 2 days ago
Daniel
12628
asked 2 days ago
Daniel
12628
12628
put on hold as unclear what you're asking by Michael Homer, Goro, Romeo Ninov, Jeff Schaller, l0b0 yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
put on hold as unclear what you're asking by Michael Homer, Goro, Romeo Ninov, Jeff Schaller, l0b0 yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
What are you trying to protect against? Information leakage? Stealing credentials? Gaining a shell on the server as a normal user? Denial of service?
– l0b0
2 days ago
I thought I addressed that: "The only part I'm concerned about is whether someone could figure out a way to interrupt the script between 1. and 2. and stay logged in to the SSH shell"
– Daniel
2 days ago
Possible duplicate of Creating a UNIX account which only executes one command
– Jeff Schaller
yesterday
That does look like a very similar question. I'm just a little more focused on "hardening" the setup to make sure they can't escape the "jail". I'm not sure if the other question fully addresses that.
– Daniel
yesterday
add a comment |Â
What are you trying to protect against? Information leakage? Stealing credentials? Gaining a shell on the server as a normal user? Denial of service?
– l0b0
2 days ago
I thought I addressed that: "The only part I'm concerned about is whether someone could figure out a way to interrupt the script between 1. and 2. and stay logged in to the SSH shell"
– Daniel
2 days ago
Possible duplicate of Creating a UNIX account which only executes one command
– Jeff Schaller
yesterday
That does look like a very similar question. I'm just a little more focused on "hardening" the setup to make sure they can't escape the "jail". I'm not sure if the other question fully addresses that.
– Daniel
yesterday
What are you trying to protect against? Information leakage? Stealing credentials? Gaining a shell on the server as a normal user? Denial of service?
– l0b0
2 days ago
What are you trying to protect against? Information leakage? Stealing credentials? Gaining a shell on the server as a normal user? Denial of service?
– l0b0
2 days ago
I thought I addressed that: "The only part I'm concerned about is whether someone could figure out a way to interrupt the script between 1. and 2. and stay logged in to the SSH shell"
– Daniel
2 days ago
I thought I addressed that: "The only part I'm concerned about is whether someone could figure out a way to interrupt the script between 1. and 2. and stay logged in to the SSH shell"
– Daniel
2 days ago
Possible duplicate of Creating a UNIX account which only executes one command
– Jeff Schaller
yesterday
Possible duplicate of Creating a UNIX account which only executes one command
– Jeff Schaller
yesterday
That does look like a very similar question. I'm just a little more focused on "hardening" the setup to make sure they can't escape the "jail". I'm not sure if the other question fully addresses that.
– Daniel
yesterday
That does look like a very similar question. I'm just a little more focused on "hardening" the setup to make sure they can't escape the "jail". I'm not sure if the other question fully addresses that.
– Daniel
yesterday
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
There's not enough information about the capabilities of possible attackers to say for sure, but I've tried with different assumptions:
- Assuming the attacker only has access to the communications channel, they would have to find an exploit in the SSH client, server or protocol to hijack a session created by someone else. You can protect against this by keeping software up to date and by restricting traffic to a local network or VPN.
- If they obtain root access to the client or server it is probably even theoretically impossible to stop them.
- If they are the ones running the SSH command they can simply run
ssh user@server bashto get an interactive shell. You can protect against this with the authorized_keys file.
answered 2 days ago
l0b0
26.6k17106233
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
There's not enough information about the capabilities of possible attackers to say for sure, but I've tried with different assumptions:
- Assuming the attacker only has access to the communications channel, they would have to find an exploit in the SSH client, server or protocol to hijack a session created by someone else. You can protect against this by keeping software up to date and by restricting traffic to a local network or VPN.
- If they obtain root access to the client or server it is probably even theoretically impossible to stop them.
- If they are the ones running the SSH command they can simply run
ssh user@server bashto get an interactive shell. You can protect against this with the authorized_keys file.
answered 2 days ago
l0b0
26.6k17106233
add a comment |Â
up vote
0
down vote
There's not enough information about the capabilities of possible attackers to say for sure, but I've tried with different assumptions:
- Assuming the attacker only has access to the communications channel, they would have to find an exploit in the SSH client, server or protocol to hijack a session created by someone else. You can protect against this by keeping software up to date and by restricting traffic to a local network or VPN.
- If they obtain root access to the client or server it is probably even theoretically impossible to stop them.
- If they are the ones running the SSH command they can simply run
ssh user@server bashto get an interactive shell. You can protect against this with the authorized_keys file.
answered 2 days ago
l0b0
26.6k17106233
add a comment |Â
up vote
0
down vote
up vote
0
down vote
There's not enough information about the capabilities of possible attackers to say for sure, but I've tried with different assumptions:
- Assuming the attacker only has access to the communications channel, they would have to find an exploit in the SSH client, server or protocol to hijack a session created by someone else. You can protect against this by keeping software up to date and by restricting traffic to a local network or VPN.
- If they obtain root access to the client or server it is probably even theoretically impossible to stop them.
- If they are the ones running the SSH command they can simply run
ssh user@server bashto get an interactive shell. You can protect against this with the authorized_keys file.
answered 2 days ago
l0b0
26.6k17106233
There's not enough information about the capabilities of possible attackers to say for sure, but I've tried with different assumptions:
- Assuming the attacker only has access to the communications channel, they would have to find an exploit in the SSH client, server or protocol to hijack a session created by someone else. You can protect against this by keeping software up to date and by restricting traffic to a local network or VPN.
- If they obtain root access to the client or server it is probably even theoretically impossible to stop them.
- If they are the ones running the SSH command they can simply run
ssh user@server bashto get an interactive shell. You can protect against this with the authorized_keys file.
answered 2 days ago
l0b0
26.6k17106233
edited 2 days ago
answered 2 days ago
l0b0
26.6k17106233
answered 2 days ago
l0b0
26.6k17106233
answered 2 days ago
l0b0
26.6k17106233
26.6k17106233
add a comment |Â
add a comment |Â
What are you trying to protect against? Information leakage? Stealing credentials? Gaining a shell on the server as a normal user? Denial of service?
– l0b0
2 days ago
I thought I addressed that: "The only part I'm concerned about is whether someone could figure out a way to interrupt the script between 1. and 2. and stay logged in to the SSH shell"
– Daniel
2 days ago
Possible duplicate of Creating a UNIX account which only executes one command
– Jeff Schaller
yesterday
That does look like a very similar question. I'm just a little more focused on "hardening" the setup to make sure they can't escape the "jail". I'm not sure if the other question fully addresses that.
– Daniel
yesterday