peterh - Linux - Blog - sftp and port forward only login

sftp and port forward only login

Friday, September 16, 2011, 10:34 - System, Network, Debian/Ubuntu, Security, Programming
Posted by Administrator

I need a ssh login for restricted portforward but without a shell for the user.

This got realized with /etc/ssh/sshd_config:

...
Subsystem sftp internal-sftp

Match user USER
  PasswordAuthentication yes
  AllowAgentForwarding no
  X11Forwarding no
  ForceCommand internal-sftp
  PermitOpen localhost:22
  ChrootDirectory /home/USER

"PermitOpen"restricts portforward to localhost:22 (remote port forward is not restricted)

But if the client needs a login shell this failes.

Well you could tell the client to not use a login shell:

ssh -N -L2222:IP:22 USER@SERVER

putty: SSH / Protocol Option enable "Don't start a shell or command at all"

or use an own loginshell where the user can only press return to disconnect:

/etc/ssh/sshd_config:

...
Subsystem sftp internal-sftp

Match user USER
  PasswordAuthentication yes
  AllowAgentForwarding no
  X11Forwarding no
  PermitOpen 127.0.0.1:2222
  ChrootDirectory /home/USER

sudo touch /home/USER/.hushlogin
sudo cp own_loginshell /home/USER/
/etc/passwd:USER:x:ID:ID::/:/own_loginshell

own_loginshell.c:

/*
   simple program to print to stdout and read from stdin without libc

   taken from http://crazychenz.com/archives/107
   (http://stackoverflow.com/questions/2548486/compiling-without-libc)

   modified 2011 by Peter Holik (peter@holik.at)

   gcc -nostdlib -nostartfiles -fno-builtin own_loginshell.c -o own_loginshell
*/

/* Types - I've defined these just to match the kernel's macros, typedefs, and structs */
typedef unsigned int size_t;

/* Syscalls */
exit(int error_code) {
        /* The asm call is a GCC thing that allows us to put assembly
         * inline with our C code. This particular use is the extended version,
         * which provides a very clean and easy way to map variables in
         * our code with registers in the assembly code.
         */
        asm("int  $0x80"
            : // no output registers
            : "a" (1), "b" (error_code)
        );
}

size_t read(unsigned int fd, char * buf, size_t count) {
        size_t ret;
        /* In this call, we have a return value, which know will be
         * of type size_t, so we put the value of %eax into ret.
         */
        asm("int  $0x80"
            : "=a" (ret)
            : "a" (3), "b" (fd), "c" (buf), "d" (count)
        );
        return ret;
}

size_t write(unsigned int fd, const char * buf, size_t count) {
        size_t ret;
        asm("int  $0x80"
            : "=a" (ret)
            : "a" (4), "b" (fd), "c" (buf), "d" (count)
        );
        return ret;
}

/* Notice that there is no main in this code, that is because
 * main is not _really_ required. All that is _really_ required
 * is the entry point for Linux to execute. I'd suggest
 * always using a main() for compatibility reasons.
 */
void _start() {
        char *buf = "press enter to close connection";

        write(1, buf, 31);
        read(0, buf, 1);
        exit(0);
}

[ view entry ] ( 2989 views ) | print article

change xorg screen dimension on login with xrandr

Wednesday, September 7, 2011, 16:23 - System, Debian/Ubuntu
Posted by Administrator

* create modline setting with cvt for desired resolution

* add new modline with xrandr --newmode

* add mode to output with xrandr --addmode

* set output and dimension with xrandr --output and --mode

The needed steps are done in

/etc/X11/Xsession.d/45custom_xrandr-settings


# $ cvt 1280 1024 60
# 1280x1024 59.89 Hz (CVT 1.31M4) hsync: 63.67 kHz; pclk: 109.00 MHz
# Modeline "1280x1024_60.00"  109.00  1280 1368 1496 1712  1024 1027 1034 1063 \
# -hsync +vsync
# $ xrandr
# Screen 0: minimum 320 x 200, current 1024 x 768, maximum 8192 x 8192
# HDMI-1 disconnected (normal left inverted right x axis y axis)
# VGA-1 connected 1024x768+0+0 (normal left inverted right x axis y axis) 0mm x 0mm
#    1024x768       60.0* 
#    800x600        60.3     56.2  
#    848x480        60.0  
#    640x480        59.9
xrandr --newmode "1280x1024_60.00"  109.00  1280 1368 1496 1712  1024 1027 1034 1063 \
-hsync +vsync
xrandr --addmode VGA-1 1280x1024_60.00
# $ xrandr
# Screen 0: minimum 320 x 200, current 1024 x 768, maximum 8192 x 8192
# HDMI-1 disconnected (normal left inverted right x axis y axis)
# VGA-1 connected 1024x768+0+0 (normal left inverted right x axis y axis) 0mm x 0mm
#    1024x768       60.0* 
#    800x600        60.3     56.2  
#    848x480        60.0  
#    640x480        59.9  
#    1280x1024_60.00   59.9
xrandr --output VGA-1 --mode 1280x1024_60.00

[ view entry ] ( 1372 views ) | print article

usb modem dialin

Wednesday, September 7, 2011, 16:04 - System, Network, Debian/Ubuntu
Posted by Administrator

Server

needed packages: mgetty, pppd

start and stop mgetty on plugin of usbmodem (0572:1329 Conexant Systems (Rockwell), Inc.)

/etc/init/mgetty.conf

# mgetty - dialin daemon

description     "mgetty daemon"

start on tty-device-added KERNEL=ttyACM0
stop on tty-device-removed KERNEL=ttyACM0

respawn
exec /sbin/mgetty -s 115200 -D /dev/ttyACM0

/etc/mgetty/login.config

/AutoPPP/ - a_ppp /usr/sbin/pppd auth +chap -pap name dialinserver remotename dialer debug

I use chap instead of pap because of plain password used by pap.

/etc/ppp/chap-secrets

dialer dialinserver password *

/etc/ppp/options.ttyACM0

10.0.0.1:10.0.0.2

Client

needed packages: pppd

/etc/ppp/peers/dialinserver

noauth
connect "/usr/sbin/chat -v -f /etc/chatscripts/dialinserver"
debug
/dev/ttyS0
115200
defaultroute
noipdefault
name dialer
remotename dialinserver

/etc/chatscripts/dialinserver

ABORT BUSY ABORT 'NO CARRIER' ABORT VOICE ABORT 'NO DIALTONE' ABORT 'NO DIAL TONE'
ABORT 'NO ANSWER' ABORT DELAYED
'' ATZ
OK-AT-OK "ATDTnumber"
CONNECT \d\c

/etc/ppp/chap-secrets

dialer dialinserver password *

Connect with "pon dialinserver" and disconnect with "poff dialinserver"

[ view entry ] ( 1038 views ) | print article

fast reboot with kexec

Friday, March 4, 2011, 15:15 - System, Debian/Ubuntu
Posted by Administrator

sudo apt-get install kexec-tools

change LOAD_KEXEC to true in /etc/default/kexec

[ view entry ] ( 810 views ) | print article

key remap on keyboard for console and X

Thursday, January 13, 2011, 16:45 - System, Debian/Ubuntu
Posted by Administrator

I got a funny viennese dialect keyboard, but after start using it i missed a key '<,>,|' :-(

So i searched for a way to remap 'AltGr + y' to '|', 'AltGr + ,' to '<' and 'AltGr + .' to '>'

Console

evaluate the key to change with

#> sudo showkey -s

press the key

here y is 0x2c = 44
here , is 0x33 = 51
here . is 0x34 = 52

test remap with

echo "altgr keycode 44 = bar" | loadkeys

bar is a symbolic name i found at German-Howto

Finally i extended /etc/rc.local with

LOADKEYS=$(which loadkeys)
if [ -x $LOADKEYS ]; then
  cat << EOT | $LOADKEYS
altgr keycode 44 = bar
altgr keycode 51 = less
altgr keycode 52 = greater
EOT
  unset LOADKEYS
fi

Xorg

evaluate the key to change with

#> xev

press the key

here y is keycode 52
here , is keycode 59
here . is keycode 60

test remap with

xmodmap -e "keycode 52 = y Y y Y bar"

dump keys with

#> xmodmap -pke > ~/.Xmodmap

remove all lines except lines starting with desired keycodes to change.

my ~/.Xmodmap now looks like

keycode  52 = y Y y Y bar U203A guillemotright
keycode  59 = comma semicolon comma semicolon less multiply periodcentered
keycode  60 = period colon period colon greater division U2026

[ view entry ] ( 2463 views ) | print article

<<First <Back | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Next> Last>>