How do I create a SSH server that runs a program rather than a full shell?

1

I've got a program that I want to share over ssh (or even telnet, security of the program isn't important), but I don't want to allow the connection to access anything else in my system except for the I/O of that one program (e.g. no scp, no full shell access, no ssh tunnels). Is this possible, and how would I go about it on a Ubuntu system?

Bonus points for being able to run this as a local user, or as nobody.

Adam M-W

Posted 2011-10-17T12:05:15.183

Reputation: 483

GNU Netcat seems to work to some degree (with -e) but can only support one user/session/instance, ideally I'd want to be able to connect more than once without having to restart the server. – Adam M-W – 2011-10-17T12:21:34.357

Answers

1

GNU Netcat seems to work to some degree (with -e) but can only support one user/session/instance, ideally I'd want to be able to connect more than once without having to restart the server.

socat can fork.

I suggest browsing it's examples

socat TCP4-LISTEN:5555,fork,tcpwrap=script \ EXEC:/bin/myscript,chroot=/home/sandbox,su-d=sandbox,pty,stderr

a simple server that accepts connections (TCP4-LISTEN) and fork's a new child process for each connection; every child acts as single relay. The client must match the rules for daemon process name "script" in /etc/hosts.allow and /etc/hosts.deny, otherwise it is refused access (see "man 5 hosts_access"). For EXEC'uting the program, the child process chroot's to /home/sandbox, su's to user sandbox, and then starts the program /home/sandbox/bin/myscript. Socat and myscript communicate via a pseudo tty (pty); myscript's stderr is redirected to stdout, so its error messages are transferred via socat to the connected client.

RedGrittyBrick

Posted 2011-10-17T12:05:15.183

Reputation: 70 632

4

I see two simple approaches:

  1. Create local users that get your program executable as login shell.

  2. Add an xinetd service that calls your program (user can then telnet to this service)

ktf

Posted 2011-10-17T12:05:15.183

Reputation: 2 168

0

Create the users that will use the server as follows:

adduser -s /bin/software username

Where /bin/software is the location of the software and username is, well, the username of the user.

Be aware that people can still get access to a shell if they find a security breach in your software.

motobói

Posted 2011-10-17T12:05:15.183

Reputation: 744

Asked: 2011-10-17T12:05:15.183

Viewed: 357 times

Active: 2011-10-17T13:51:47.440