DSM-G600, DNS-3xx and NSA-220 Hack Forum
Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Announcement
IRC Channel #funplug on irc.freenode.org
#1 2008-02-03 18:44:20
- bliko
- Member
- Registered: 2008-02-03
- Posts: 6
SSH Access
Hi,
I'm running fonz's fun_plug 0.3. I need users to be able to login via ftp remotely, and I also need to be able to login as 'root' via ssh remotely.
However, I do not want any of the users to be able to login to ssh / use any of the ssh fuctions. (Basically only 'root' is able to login via ssh)
I don't really want to bother with jailkit / chroot debian .... as i've seen posted on this forum. (Since i'm excluding everyone but 'root')
So far i've managed to stop users from logging into command promt / sftp by simply chmodding the files 744 (Only the file owner can execute):
/mnt/HD_a2/fun_plug.d/bin/
sh
ssh
sftp-server
ash
However, when i try and login to do port forwarding it works....so I was wondering if someone can tell me which file(s) in '/mnt/HD_a2/fun_plug.d/bin/' are responsible for ssh tunnellig / port forwarding capabilities...so i can chmod those aswell.
Incase anyone was wondering...the chmodding needs to be done each time the dns-323 is restarted. Simply add some shell commands to the end of the '/mnt/HD_a2/fun_plug.d/start/dropbear.sh' file to do this. i.e
Code:
chmod 744 /mnt/HD_a2/fun_plug.d/bin/sh chmod 744 /mnt/HD_a2/fun_plug.d/bin/ssh chmod 744 /mnt/HD_a2/fun_plug.d/bin/sftp-server chmod 744 /mnt/HD_a2/fun_plug.d/bin/ash
Any help would be appreciated, Thanks very much 
Offline
#2 2008-02-04 00:50:35
- karlbowden
- Member
- Registered: 2008-02-04
- Posts: 5
Re: SSH Access
You should find that if you edit /etc/passwd and set a users shell to /bin/false then that user will not be able to login via ssh.
ie:
root:x:0:0:Linux User,,,:/mnt:/bin/sh
admin:x:500:500:Linux User,,,:/mnt:/bin/false
nobody:x:501:501:Linux User,,,:/mnt:/bin/false
ftp:*:95:95::/mnt:/bin/false
kbowden:x:505:504:Users:/mnt:/bin/false
will only allow root access via telnet and ssh, and everybody by ftp and samba
- Karl
Offline
#3 2008-02-04 12:14:47
- bliko
- Member
- Registered: 2008-02-03
- Posts: 6
Re: SSH Access
Unfortunately that won't work:
http://dns323.kood.org/forum/p4123-2007 … html#p4123
Removing the part fonz mentioned disables command line access for everyone including root.
Any other suggestions?
Offline
#4 2008-02-04 12:51:14
- karlbowden
- Member
- Registered: 2008-02-04
- Posts: 5
Re: SSH Access
Hmmm. Ok, i just tried changing the users home dir, and it allows me effective control over who gets access, even over reboots.
/etc/passwd
Code:
root:x:0:0:Linux User,,,:/mnt:/bin/sh admin:x:500:500:Linux User,,,:/mnt:/bin/sh nobody:x:501:501:Linux User,,,:/mnt:/bin/sh ftp:*:95:95::/mnt:/bin/sh kbowden:x:505:504:Users:/dummy:/bin/sh
Here you can see I have changed my home dir to /dummy and when i try and login, i get an error changing directory then logged out.
To save it across reboots use:
Code:
store-passwd.sh
(Once youve confirmed that the passwd file is working as expected)
- Karl
Offline
#5 2008-02-04 12:54:35
- karlbowden
- Member
- Registered: 2008-02-04
- Posts: 5
Re: SSH Access
I havnt tried it but you could also remove the '-l ${BINDIR}/sh' option from dropbear.sh, set the users shell, and those that need the shell set theirs to /mnt/HD_a2/fun_plug.d/bin/sh
Then once confirmed working again, store-passwd.sh and reboot.
I'm also using fonz funplug 0.4 btw.
Offline