SSH user without any rights on a server
Ric Moore
wayward4now at gmail.com
Sat Jun 25 00:02:16 UTC 2011
On Fri, 2011-06-24 at 12:03 +0200, Frank wrote:
> Hi Nils
>
> On Fri, 2011-06-24 at 08:09 +0200, Nils Kassube wrote:
>
> > Which security risks are you concerned about? For the intermediate
> > server or for your company?
>
> For the intermediate server.
>
> > If you use password authentication with a weak
> > password, you just built a nice backdoor to your company network.
>
> For that reason I gave "reverseuser" a fake shell, no home folder, he is
> not member of any group, etc... (as described in my post).
>
> > I'm
> > not a security expert, but to me (with my limited knowledge) it seems to
> > be _very_ insecure.
>
> For that reason I asked the mailing-list, where most of the participants
> are more expert than what I am.
> I appreciate your answer, but I can not do much with "feelings". What I
> need are advices, like "OK, clever idea, but remember that «reverseuser»
> could still do this and this. So, to be sure, disable this and this.".
>
> > friends should install sshd and let you login for remote mainainance.
>
> Unfortunately, that's not an option.
> They move between different locations so I never know their IP address.
> They have no access to routers/firewall in order to forward port 22 (and
> even If they have access to the router's settings, I doubt they know
> what to do).
I forget which application did it, but one of the instant messenger apps
used to allow you to connect to a friend, see their IP address at that
moment, and then you'd just ssh to it. With their permission of course.
That might help. Ric
--
My father, Victor Moore (Vic) used to say:
"There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome." R.I.P. Dad.
Linux user# 44256
More information about the ubuntu-users
mailing list