[clug] Wanted: Developer to securely implement a restricted SSH shell
Adam Thomas
adam.lloyd at gmail.com
Sun Jan 3 23:35:34 MST 2010
2010/1/4 Hal Ashburner <hal.ashburner at gmail.com>:
> On 04/01/10 17:24, Steven Hanley wrote:
>>
>> On Mon, Jan 04, 2010 at 05:21:10PM +1100, Michael Still wrote:
>>
>>>
>>> Nathan O'Sullivan wrote:
>>>
>>>>
>>>> If you or your company do this kind of work, please mail me off-list. I
>>>> am happy to discuss someone working on this after hours and would love
>>>> to put a bit of cash into the pockets of a list member.
>>>>
>>>> Or if you can recommend someone that would be excellent too.
>>>>
>>>>
>>>> I've posted the requirements off list, but to summarise: I need a way
>>>> to let customers access their Xen domU console ("xm console $DOMAIN")
>>>> over SSH, while doing our utmost to prevent the customer from doing
>>>> anything else on the dom0.
>>>>
>>>> Further description and a naive implementation is available at
>>>> http://www.mammothmedia.com.au/~nats/restricted-shell-job.txt
>>>>
>>>
>>> Are you thinking of implementing a restricted shell and using openssh,
>>> or a custom ssh server?
>>>
>>
>> Bob has some code in the svn repository here that does a restricted ssh
>> job
>> for students submitting assignments with elevated privoleges on a
>> different
>> server, he may be able to help you out with that if you have a look at how
>> it works.
>>
>>
>
> Can't this be done simply by replacing /bin/sh in /etc/passwd with
> /path/to/some/binary
> that execs xm console $DOMAIN for given domU logins?
> What am I missing here?
The `xm console $DOMAIN` command needs to be run as root.
Would setuid root on the proposed shell script work?
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>
More information about the linux
mailing list