On Mon, Mar 19, 2001 at 08:58:06AM -0300, Pedro Zorzenon Neto wrote: > Hi, > > I'd like anyone to be able to use the local keyboard of some machines to > telnet/ssh to any other machine and use their account on the other machine. > > A simple solution would be create one acount for user "anyone" without > password and restrict its login with rbash to use just telnet/ssh. Also > disallow ftp for user "anyone". > Do you think this is a good solution? Does it opens some security hole?
Instead of getty on the consoles, make inittab run a program that drops all priviledges, then asks "connect to what machine?", and then runs the appropriate ssh command. Make sure the program uses exec, instead of passing it to the shell. That will stop a lot of tricks! Set the ssh options appropriately. You'll probably want to disable the ssh escape character and all port forwarding. Don't even bother with telnet, it's obsolete. Install sshd on any machines that don't have it yet, and don't install telnet on the public machine. Since users will have console access, make sure you turn off rebooting with the three finger salute, and set a password on lilo so users can't power cycle the machine and boot with init=/bin/bash. You might even want to mount the drives read-only, but you should probably have some kind of logging, in case people are connecting to stuff they shouldn't be. (ssh won't let people talk to FTP or SMTP servers, though, unlike telnet. This is a good thing.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE