Re: Execute and lock a user into a program upon login
hi... have a look here: http://docs.hp.com/en/5991-7517/ch01s04.html I think the cleanest solution would be to create a match block for your user, and apply the forcecommand within that block... -- Olli On Fr, 2009-03-13 at 21:50 -0400, Steve Bertrand wrote: Jonathan Chen wrote: On Sat, Mar 14, 2009 at 02:18:27AM +0100, Polytropon wrote: [..] If the user's shell is csh (FreeBSD's standard dialog shell), you could achieve the goal: ~/.login vtysh logout Only problem: I don't know how the shell will act when the user terminates the vtysh application (^C)... Change the contents of ~/.login to: exec vtysh This overlays the shell with vtysh. When it exits, the session will be closed. Thank you. This appears to be what I want. I was trying it with the previous setup, but I had to put the user in the wheel group. I haven't yet figured where permissions were going astray. Your procedure will allow me to put the user in the wheel group for now, knowing that logout will occur as soon as the program terminates. This way, I can safely know it works, and make myself a note for Monday to fix the permissions issues ;) Regards, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Execute and lock a user into a program upon login
And I think the cleanest solution would be to link .login to vtysh , make sure that your system logs out when it finishes this command or you can't use this technique. Steve Bertrand wrote (earlier today): I think the cleanest solution would be to create a match block for your user, and apply the forcecommand within that block... -- Olli On Fr, 2009-03-13 at 21:50 -0400, Steve Bertrand wrote: Jonathan Chen wrote: On Sat, Mar 14, 2009 at 02:18:27AM +0100, Polytropon wrote: [..] If the user's shell is csh (FreeBSD's standard dialog shell), you could achieve the goal: ~/.login vtysh logout Only problem: I don't know how the shell will act when the user terminates the vtysh application (^C)... Change the contents of ~/.login to: exec vtysh This overlays the shell with vtysh. When it exits, the session will be closed. Thank you. This appears to be what I want. I was trying it with the previous setup, but I had to put the user in the wheel group. I haven't yet figured where permissions were going astray. Your procedure will allow me to put the user in the wheel group for now, knowing that logout will occur as soon as the program terminates. This way, I can safely know it works, and make myself a note for Monday to fix the permissions issues ;) Regards, Steve Looking for insurance? Compare and save today. Click here. http://thirdpartyoffers.juno.com/TGL2141/fc/BLSrjpTInoLb38jeH2ZxV89B2QnR6ZNekJuaR3qGCHLhnMekVw3DI3haDtu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Execute and lock a user into a program upon login
Hi everyone, Although the application of my question focuses on network operation, I believe that the objective fits this list. Mostly irrelevant, I have been working on securing my network perimeter. I have a FreeBSD box that acts as a host-based BGP peer to all edge connected routers. I use this host-based Quagga FBSD router to distribute routes that are to be blackholed by the edge devices. What I want is to set up an environment so that when a specific user logs in to the box via SSH, a command is run, and they immediately get dropped into the environment that the command produces. When they exit this 'command', the login session is dropped. Essentially, I want to 'lock' a user into a program upon SSH login, and drop them from the SSH session when the program terminates. In essence: - user 'router' connects via SSH - user is dropped into the application 'vtysh' - user performs operations - user exits from program - shell drops (ie. user does not have to exit the csh shell to drop the SSH connection) Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Execute and lock a user into a program upon login
Steve Bertrand wrote: Hi everyone, Although the application of my question focuses on network operation, I believe that the objective fits this list. Mostly irrelevant, I have been working on securing my network perimeter. I have a FreeBSD box that acts as a host-based BGP peer to all edge connected routers. I use this host-based Quagga FBSD router to distribute routes that are to be blackholed by the edge devices. What I want is to set up an environment so that when a specific user logs in to the box via SSH, a command is run, and they immediately get dropped into the environment that the command produces. When they exit this 'command', the login session is dropped. Essentially, I want to 'lock' a user into a program upon SSH login, and drop them from the SSH session when the program terminates. In essence: - user 'router' connects via SSH - user is dropped into the application 'vtysh' - user performs operations - user exits from program - shell drops (ie. user does not have to exit the csh shell to drop the SSH connection) I probably should have explicitly stated that I'd like help as to how I would go about doing what I want to do, instead of simply stating my goals ;) Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Execute and lock a user into a program upon login
On Fri, 13 Mar 2009 21:12:07 -0400, Steve Bertrand st...@ibctech.ca wrote: Steve Bertrand wrote: Hi everyone, Although the application of my question focuses on network operation, I believe that the objective fits this list. Mostly irrelevant, I have been working on securing my network perimeter. I have a FreeBSD box that acts as a host-based BGP peer to all edge connected routers. I use this host-based Quagga FBSD router to distribute routes that are to be blackholed by the edge devices. What I want is to set up an environment so that when a specific user logs in to the box via SSH, a command is run, and they immediately get dropped into the environment that the command produces. When they exit this 'command', the login session is dropped. Essentially, I want to 'lock' a user into a program upon SSH login, and drop them from the SSH session when the program terminates. In essence: - user 'router' connects via SSH - user is dropped into the application 'vtysh' - user performs operations - user exits from program - shell drops (ie. user does not have to exit the csh shell to drop the SSH connection) I probably should have explicitly stated that I'd like help as to how I would go about doing what I want to do, instead of simply stating my goals ;) If the user's shell is csh (FreeBSD's standard dialog shell), you could achieve the goal: ~/.login vtysh logout Only problem: I don't know how the shell will act when the user terminates the vtysh application (^C)... Idea: When the application vtysh is terminated, the next command in the .login file will be executed, which is the logout command that will cause the login shell to exit. This will close the SSH connection as well. (I haven't checked this, sorry.) -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Execute and lock a user into a program upon login
Polytropon wrote: On Fri, 13 Mar 2009 21:12:07 -0400, Steve Bertrand st...@ibctech.ca wrote: Steve Bertrand wrote: Hi everyone, Although the application of my question focuses on network operation, I believe that the objective fits this list. Mostly irrelevant, I have been working on securing my network perimeter. I have a FreeBSD box that acts as a host-based BGP peer to all edge connected routers. I use this host-based Quagga FBSD router to distribute routes that are to be blackholed by the edge devices. What I want is to set up an environment so that when a specific user logs in to the box via SSH, a command is run, and they immediately get dropped into the environment that the command produces. When they exit this 'command', the login session is dropped. Essentially, I want to 'lock' a user into a program upon SSH login, and drop them from the SSH session when the program terminates. In essence: - user 'router' connects via SSH - user is dropped into the application 'vtysh' - user performs operations - user exits from program - shell drops (ie. user does not have to exit the csh shell to drop the SSH connection) I probably should have explicitly stated that I'd like help as to how I would go about doing what I want to do, instead of simply stating my goals ;) If the user's shell is csh (FreeBSD's standard dialog shell), you could achieve the goal: ~/.login vtysh logout Only problem: I don't know how the shell will act when the user terminates the vtysh application (^C)... Idea: When the application vtysh is terminated, the next command in the .login file will be executed, which is the logout command that will cause the login shell to exit. This will close the SSH connection as well. (I haven't checked this, sorry.) Thanks! No problem for lack of testing. To be honest, an extra 'exit' command via the shell is acceptable in this case, given that it will be only internal network ops working this anyway. I pretty much just wanted to provide a Cisco-like environment for adding a route upon login (as opposed to having to manually running the vtysh command). Manually logging out of a secure shell session is ok. I'll test the log out portion. If it works, that'd be most handy. Nonetheless, you've helped me out greatly. Cheers! Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Execute and lock a user into a program upon login
On Sat, Mar 14, 2009 at 02:18:27AM +0100, Polytropon wrote: [..] If the user's shell is csh (FreeBSD's standard dialog shell), you could achieve the goal: ~/.login vtysh logout Only problem: I don't know how the shell will act when the user terminates the vtysh application (^C)... Change the contents of ~/.login to: exec vtysh This overlays the shell with vtysh. When it exits, the session will be closed. -- Jonathan Chen j...@chen.org.nz We laugh in the face of danger, we drop icecubes down the vest of fear - Edmond Blackadder III ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Execute and lock a user into a program upon login
Jonathan Chen wrote: On Sat, Mar 14, 2009 at 02:18:27AM +0100, Polytropon wrote: [..] If the user's shell is csh (FreeBSD's standard dialog shell), you could achieve the goal: ~/.login vtysh logout Only problem: I don't know how the shell will act when the user terminates the vtysh application (^C)... Change the contents of ~/.login to: exec vtysh This overlays the shell with vtysh. When it exits, the session will be closed. Thank you. This appears to be what I want. I was trying it with the previous setup, but I had to put the user in the wheel group. I haven't yet figured where permissions were going astray. Your procedure will allow me to put the user in the wheel group for now, knowing that logout will occur as soon as the program terminates. This way, I can safely know it works, and make myself a note for Monday to fix the permissions issues ;) Regards, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org