[kinda off topic] Rsync only account on slack 10.2 to 12.1 - Slackware

This is a discussion on [kinda off topic] Rsync only account on slack 10.2 to 12.1 - Slackware ; I have a box running slackware 10.2, and I multi-boot my laptop with XP and Slack 12.1. Is there a way to setup an account that can login with ftp and use rsync, but not have a real shell (cannot ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: [kinda off topic] Rsync only account on slack 10.2 to 12.1

  1. [kinda off topic] Rsync only account on slack 10.2 to 12.1

    I have a box running slackware 10.2, and I multi-boot my laptop with XP and
    Slack 12.1. Is there a way to setup an account that can login with ftp and
    use rsync, but not have a real shell (cannot ssh in)? Is there an easy way
    to do this, or would I have to setup some kind of chroot jail and just let
    ssh "open" to (specific) authenticated users?

    Tim




  2. Re: [kinda off topic] Rsync only account on slack 10.2 to 12.1

    On Fri, 10 Oct 2008 14:36:34 +0000, Tim wrote:

    > I have a box running slackware 10.2, and I multi-boot my laptop with XP and
    > Slack 12.1. Is there a way to setup an account that can login with ftp and
    > use rsync, but not have a real shell (cannot ssh in)? Is there an easy way
    > to do this, or would I have to setup some kind of chroot jail and just let
    > ssh "open" to (specific) authenticated users?
    >
    > Tim
    >

    I would go with ssh configured for only specific users and for certificate
    authentication. Its quite easy to setup. Just be careful you don't lock
    yourself out while making the change to certificate based authentication.
    There are a lot of tutorials for this on the web, and explain things much
    better than this, but here is a rough outline of how to proceed.

    Steps:
    1. Generate a certificate for the user on the box where you want to login
    from.

    $ ssh-keygen -t dsa

    2. Transfer the public key to the target box (where you want that user to
    be able to login)

    $ cat ~/.ssh/id_dsa.pub | ssh doug@otherbox "cat - >>.ssh/authorized_keys"

    3. At target box: Fixup /etc/ssh/sshd_config to only allow specific users
    and disable password authentication.

    4. At target box: Restart sshd

    p.s. As I said, be careful.

    p.p.s. If the box is accessable via the internet, then two
    additional things can be done. Have a NAT rule to switch ssh to a
    non-standard port (external). Also, invoke a rate-limiting iptables rule
    as part of your firewall setup.

    --
    Douglas Mayne

  3. Re: [kinda off topic] Rsync only account on slack 10.2 to 12.1

    On 2008-10-10, Tim wrote:
    > I have a box running slackware 10.2, and I multi-boot my laptop with XP and
    > Slack 12.1. Is there a way to setup an account that can login with ftp and
    > use rsync, but not have a real shell (cannot ssh in)? Is there an easy way
    > to do this, or would I have to setup some kind of chroot jail and just let
    > ssh "open" to (specific) authenticated users?



    Depending on what kind of rsync usage you have in mind, this is easy:
    If the username is "jim" then put this in /etc/ssh/sshd_config:
    DenyUsers jim

    -RW

  4. Re: [kinda off topic] Rsync only account on slack 10.2 to 12.1

    On Fri, 10 Oct 2008 09:48:28 -0600, Douglas Mayne wrote:

    ....
    >Steps:
    >1. Generate a certificate for the user on the box where you want to login
    >from.
    >
    >$ ssh-keygen -t dsa
    >
    >2. Transfer the public key to the target box (where you want that user to
    >be able to login)
    >
    >$ cat ~/.ssh/id_dsa.pub | ssh doug@otherbox "cat - >>.ssh/authorized_keys"
    >
    >3. At target box: Fixup /etc/ssh/sshd_config to only allow specific users
    >and disable password authentication.
    >
    >4. At target box: Restart sshd
    >
    >p.s. As I said, be careful.
    >
    >p.p.s. If the box is accessable via the internet, then two
    >additional things can be done. Have a NAT rule to switch ssh to a
    >non-standard port (external). Also, invoke a rate-limiting iptables rule
    >as part of your firewall setup.


    Basically I did the above less than a week ago to open the ssh port.

    Since:
    root@deltree:~# head -1 /var/log/messages
    Oct 5 04:40:02 deltree syslogd 1.4.1: restart.

    caught:
    root@deltree:~# firewall-check-ssh-fail-cidr -t
    82.64.0.0/14 # FR:France
    121.8.0.0/13 # CN:China
    122.204.0.0/14 # CN:China
    123.108.200.0/21 # IN:India
    123.112.0.0/12 # CN:China
    123.216.0.0/13 # JP:Japan
    124.104.0.0/14 # PH:Philippines
    174.132.0.0/15 # US:United States
    203.177.128.0/18 # PH:Philippines
    206.221.176.0/20 # US:United States
    210.32.0.0/14 # CN:China
    218.206.0.0/15 # CN:China
    found 12 /usr/local/etc/ssh-ban-list-cidr offender IPs

    So you do want to take care as Douglas wrote. I've chosen not to change
    ssh login port, but then I have turned off password login and don't give
    an attacker many tries to guess a valid username let alone a passphrase

    And for the curious, usernames tried so far:

    root@deltree:~# grep sshd /var/log/messages | grep Invalid| \
    egrep -v '^192\.168\.' | awk '{print $8}' | sort | uniq
    Ovidiu
    admin
    apple
    fluffy
    guest
    recruit
    sales
    staff
    test
    toor
    webmaster

    Dunno how 'fluffy' got onto the list )

    Grant.
    --
    http://bugsplatter.id.au/

  5. Re: [kinda off topic] Rsync only account on slack 10.2 to 12.1

    On Fri, 10 Oct 2008 09:48:28 -0600, Douglas Mayne wrote:

    >Steps:
    >1. Generate a certificate for the user on the box where you want to login
    >from.
    >
    >$ ssh-keygen -t dsa


    Any reason to use dsa over rsa?

    I'm using ssh 2 rsa here.

    Grant.
    --
    http://bugsplatter.id.au/

  6. Re: [kinda off topic] Rsync only account on slack 10.2 to 12.1

    On Sat, 11 Oct 2008 07:18:13 +1100, Grant wrote:

    > On Fri, 10 Oct 2008 09:48:28 -0600, Douglas Mayne wrote:
    >
    >>Steps:
    >>1. Generate a certificate for the user on the box where you want to login
    >>from.
    >>
    >>$ ssh-keygen -t dsa

    >
    > Any reason to use dsa over rsa?
    >
    > I'm using ssh 2 rsa here.
    >
    > Grant.
    >

    Googled this, which seems to say that RSA may be superior to DSA:
    http://www.linuxforums.org/forum/lin...-security.html

    As far as why I am using dsa- force of habit. The first tutorial I saw on
    ssh using ssh with certificates recommended using dsa. It could be that
    RSA was just emerging from patent control at that time, also.

    --
    Douglas Mayne

+ Reply to Thread