Preventing shells from being spawned
Matt Johnston
matt at ucc.asn.au
Wed Jun 22 13:46:49 WST 2005
On Tue, Jun 14, 2005 at 12:10:36PM -0700, John Daz wrote:
> Hello,
> I would like to use dropbear to allow users to tunnel
> into an embedded system. However I don't want them to
> get a shell when they run the port forwarding command.
> e.g.
> the command:
>
> ssh -L 2001:localhost:2002 user at 10.10.1.1
>
> should not create a shell as it does by default.
>
> Is this possible?.
It seems easier than I thought it would be, sorry for the
delay in replying :)
You should be able to just change
&svrchansess,
to
//&svrchansess,
around line 70 of svr-session.c
That'll prevent any users logging in.
If you want it to be user-specific, it's a bit harder - you
could either make svr-auth.c alter ses.chantypes for
users who aren't allowed to spawn a shell, or just change
the user's shell to a statically linked /bin/pause-forever
or something like that.
Let me know if there are any problems.
Matt
More information about the Dropbear
mailing list