On Tue, Jul 18, 2006 at 02:00:49PM +0800, Matt Johnston wrote: > On Mon, Jul 17, 2006 at 09:53:52PM -0700, Prasad wrote: > > So now i want to totally skip the regular username and > > password in the SSH and directly call my commandline interpreter > > (which has a password autentication by itself). How do i achieve that? > > Is there any security flaws in this kinda design.
> I think it should be secure, as long as you make sure that > you're ignoring requests for different commands from the > user (which will get passed as arguments to your > interpreter), and your interpreter itself is secure. Another thought, you should probably disable any forwarding. TCP forwarding certainly could present a hazard (tunnel through the device to get around firewalls), and agent or X11 forwarding might have unforseen issues too. You might also be vulnerable to denial-of-service type issues, as someone could open numerous connections, each spawning an interpreter. One solution to that is to limit the total number of connections - see the thread http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2006q2/000388.html or your inetd implementation if you're using that. Matt