From rowdenw@eskimo.com Sat Mar 9 18:08:19 2002 Received: from mailscan2.cac.washington.edu (mailscan2.cac.washington.edu [140.142.33.16]) by lists.u.washington.edu (8.12.1+UW01.12/8.12.1+UW02.01) with SMTP id g2A28InJ077806 for ; Sat, 9 Mar 2002 18:08:18 -0800 Received: FROM mxu3.u.washington.edu BY mailscan2.cac.washington.edu ; Sat Mar 09 18:08:18 2002 -0800 Received: from mx1.eskimo.com (mx1.eskimo.com [204.122.16.48]) by mxu3.u.washington.edu (8.12.1+UW01.12/8.12.1+UW02.01) with ESMTP id g2A28Hre001842; Sat, 9 Mar 2002 18:08:17 -0800 Received: from eskimo.com (rowdenw@eskimo.com [204.122.16.13]) by mx1.eskimo.com (8.9.1a/8.8.8) with ESMTP id SAA22279; Sat, 9 Mar 2002 18:08:16 -0800 Received: from localhost (rowdenw@localhost) by eskimo.com (8.9.1a/8.9.1) with ESMTP id SAA02906; Sat, 9 Mar 2002 18:08:16 -0800 (PST) X-Authentication-Warning: eskimo.com: rowdenw owned process doing -bs Date: Sat, 9 Mar 2002 18:08:15 -0800 (PST) From: William Rowden To: "C. Olmsted" cc: UW Linux Group Subject: Re: SSH2 -N feature In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Yesterday, C. Olmsted wrote: > Or putting an exclamation point (!) at the start of the encoded > passwd string in the shadow passwd file... This may work if RSA Authentication is disabled and the user has no public keys in the account. Otherwise, the user could authenticate using RSA public keys and use port forwarding with both exclamation point in the password string shadow password file and /bin/false in the password file. I "disabled" an account via `passwd -l`, checked for the exclamation point in "/etc/shadow", and installed some public keys for which I had the private keys. I was able to authenticate with an OpenSSH server daemon (2.9p2) [1]. We don't use passwords for shell access on this particular host, anyway. This requires trusting users to have good passphrases on their private keys. Even if they don't, the key is elsewhere. > On Fri, 8 Mar 2002, Matt Barclay wrote: > > Many folks will disable an account by setting the user's shell to > > /bin/false. That prevents the user from logging in and executing a shell. > > Well, SSH2 has a "-N" switch that says "don't execute a shell or a > > command". It is useful if you are setting up SSH tunnels. The > > combination of "-N" with forwarding will then allow the user, with > > /bin/false as a shell, to authenticate with the SSHD server and port > > forward to any machine anywhere. The forwarded packets will look like > > they are coming from the SSHD server. I tested this by SSH'ing into a > > friend's firewall and forwarding ports into his private LAN. > > > > So lesson learned: don't forget to list disabled accounts in sshd_config > > using the DenyUsers directive. [1] I disabled UseLogin, but I should upgrade. I see that 3.1 is out now. -- -William Get some rest. If you haven't got your health, you haven't got anything. .