[kwlug-disc] Setting shell to a script
William Park
opengeometry at yahoo.ca
Thu Sep 5 00:46:56 EDT 2019
If you control the remote point, how about connecting to rsync daemon directly?
Sent from Yahoo Mail on Android
On Wed, Sep 4, 2019 at 5:37 PM, Paul Nijjar via kwlug-disc<kwlug-disc at kwlug.org> wrote: My websearching skills are failing me on this, so I will ask you smart
people.
I have an account that is kind of a service account (humans will not
log into that account) but will be used for rsync via ssh. For
security I would prefer that this account be locked down.
I had set the shell of the user to /bin/false, but then ssh does not
work.
I am using a whitelist script I documented here:
http://pnijjar.freeshell.org/2015/lock-rsync/
Now I am wondering if there is more I can do to lock down the account.
Setting the shell to /bin/rbash is not helpful unless I lock down a
bunch of other things. There is an rssh shell that I have read about,
but I have not tried it yet.
One thing I am considering is actually setting the shell for the user
to my whitelist script, which is a python executable. Is this a
promising idea or a terrible one?
- Paul
--
Get tech event listings: https://off-topic.kwlug.org/watcamp
Blog: http://pnijjar.freeshell.org
_______________________________________________
kwlug-disc mailing list
kwlug-disc at kwlug.org
http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20190905/1dc69a35/attachment-0001.htm>
-------------- next part --------------
My websearching skills are failing me on this, so I will ask you smart
people.
I have an account that is kind of a service account (humans will not
log into that account) but will be used for rsync via ssh. For
security I would prefer that this account be locked down.
I had set the shell of the user to /bin/false, but then ssh does not
work.
I am using a whitelist script I documented here:
http://pnijjar.freeshell.org/2015/lock-rsync/
Now I am wondering if there is more I can do to lock down the account.
Setting the shell to /bin/rbash is not helpful unless I lock down a
bunch of other things. There is an rssh shell that I have read about,
but I have not tried it yet.
One thing I am considering is actually setting the shell for the user
to my whitelist script, which is a python executable. Is this a
promising idea or a terrible one?
- Paul
--
Get tech event listings: https://off-topic.kwlug.org/watcamp
Blog: http://pnijjar.freeshell.org
_______________________________________________
kwlug-disc mailing list
kwlug-disc at kwlug.org
http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
More information about the kwlug-disc
mailing list