From owner-freebsd-security Wed Feb 28 18: 9:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id 145AE37B719 for ; Wed, 28 Feb 2001 18:09:11 -0800 (PST) (envelope-from agifford@infowest.com) Received: from jardan.infowest.com (jardan.infowest.com [216.190.28.251]) by ns1.infowest.com (Postfix) with SMTP id 47A5321128 for ; Wed, 28 Feb 2001 19:09:09 -0700 (MST) From: Aaron D.Gifford To: freebsd-security@freebsd.org Subject: RE: ssh tricks (was Re: ssh -t /bin/sh trick (was Re: ftp Date: Wed, 28 Feb 2001 19:09:49 -0700 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Message-Id: <01022819094900.04839@jardan.infowest.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since the topic strayed to SSH tricks, here's another to keep your eyes open for: Assuming that /sbin/ftponly is a hard link to /sbin/nologin and /sbin/ftponly is in /etc/shells on a FreeBSD 4.2-STABLE as of Jan. or Feb. 2001 system running FTP and SSH services (the built-in ones that are a part of FreeBSD), consider the following: user:password.:101:101::0:0:Some FTP User:/home/ftponly/user:/sbin/ftponly If this user attempts to log in using SSH to a shell, he/she will see the FreeBSD MOTD banner, then the line "This account is currently not available." after which the connection is terminated. With regard to the mentioned "ssh -t" trick, on my 4.2-STABLE box it does not work, giving the user just the single line message that the account is not available. So you think you're completely safe. Maybe you are... BUT... Are you aware that the FreeBSD SSH installation by default has TCP forwarding enabled? Are you completely aware of the implications? Smart admin. that you are, you completely understand that this FTP-only user can still do fun stuff like: ssh -l user your.ftp.server.host -L 7777:some.smtp.relay:25 -N The user then uses this forwarding to send spam via your FTP server, which spam looks like it came from your FTP server (it did, via the SSH forwarded TCP connection). And your logging might not catch it (depending on your how you have configured sshd logging) since utmp/wtmp won't show a thing. All sorts of other interesting possibilities exist too. Just another SSH trick/feature to be aware of when limiting shell access for accounts (like FTP-only, or chrsh). If there's anything I'm missing in the above, additional tricks I (and others) should watch out for, etc., please let me know. I love to learn new things. Aaron out. -- www.aarongifford.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message