goozbach's Techtips

First SCPonly. Many protocols have been created to replace the aging protocols of yesteryear. (FTP Telnet RSH RCP etc...) SSH is one of the more popular. SecureSHell or SSH allows one to remotely connect to a shell while the traffic between hosts is encrypted. Many of the plain-text protocols have been replaced by ssh. To emulate an FTP only server, (eg an account without an interactive shell, which can still upload and download files) you can use tools such as scponly. SCPonly is a restricted shell that only allows scp traffic and denys any interactive shell traffic.

I've created some rpms of scponly and they are located here and here the scponly-chroot package enables the chrooted shell which doesn't allow a user outside of their home directory.

There's also a package named SCPjailer that will assist you in creating the chroot jails for the chrooted version of SCPonly.

I'm currently working on some tools to make creating users with these two programs much simpler, so watch this space for news on the upcomming scponly-tools.

I've also recently come up with a PAM trick which will allow you to create a user which can only be accessed via the su command. Thats right, no direct login at all! Here's how you accomplish this:

1. Create a new user who will only be accessable via su

    # useradd kyle 

2. Restrict the new user account from all access by modifying the file /etc/pam.d/system-auth by adding the pam_listfile.so line as shown:

   auth        required      /lib/security/$ISA/pam_env.so
   auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
   auth        required      /lib/security/$ISA/pam_deny.so
   
   account     required      /lib/security/$ISA/pam_unix.so
   
   account     required     /lib/security/$ISA/pam_listfile.so sense=deny onerr=succeed item=user file=/etc/suonlyusers
   
   account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
   
   account     required      /lib/security/$ISA/pam_permit.so
   
   password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
   
   password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
   
   password    required      /lib/security/$ISA/pam_deny.so
   
   session     required      /lib/security/$ISA/pam_limits.so
   
   session     required      /lib/security/$ISA/pam_unix.so
   
   

   
   


3. After editing that file, create the file /etc/suonlyusers and add a single line with the username of whomever you are trying to restrict (in our case: kyle)
   


4. Unrestrict the same user when using the su command.
   edit the file /etc/pam.d/su and add the pam_listfile.so line as shown:
   

   
   
   auth       sufficient   /lib/security/$ISA/pam_rootok.so
   
   # Uncomment the following line to implicitly trust users in the "wheel" group.
   
   #auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
   
   # Uncomment the following line to require a user to be in the "wheel" group.
   
   #auth       required     /lib/security/$ISA/pam_wheel.so use_uid
   
   auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
   
   account    sufficient     /lib/security/$ISA/pam_listfile.so item=user sense=allow onerr=succeed file=/etc/suonlyusers
   
   account    required     /lib/security/$ISA/pam_stack.so service=system-auth
   
   password   required     /lib/security/$ISA/pam_stack.so service=system-auth
   
   # pam_selinux.so close must be first session rule
   
   session    required     /lib/security/$ISA/pam_selinux.so close
   
   session    required     /lib/security/$ISA/pam_stack.so service=system-auth
   
   # pam_selinux.so open and pam_xauth must be last two session rules
   
   session    required     /lib/security/$ISA/pam_selinux.so open multiple
   
   session    optional     /lib/security/$ISA/pam_xauth.so
   
   

   
   

Try giving your user a password, loggin in directly, or accessing the user account via su.
Quite a trick.
(ranks a 4.3 out of 5 in my book)