Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home Help
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Terminal-Based SSH Portfolio

cemalgnltscemalgnlts Member
in Help

Hi,

Some users or programs provide a custom interface that you can connect to via SSH. I've looked into this and found a simple way to set it up like this:

Match User guest
    ForceCommand /home/guest/welcome.sh
    PermitEmptyPasswords yes
    PasswordAuthentication yes
    AllowTcpForwarding no
    X11Forwarding no

But what are the security implications? Could a user potentially escape the script execution and gain shell access to the system?

Thanks.

Thanked by 1stable_genius

Comments

  • olokeoloke Member, Host Rep

    @cemalgnlts said: But what are the security implications? Could a user potentially escape the script execution and gain shell access to the system?

    Hi :)

    I think you are on good track with your current sshd configuration, however there are couple more things that you could consider:

    Match User guest
    ForceCommand /home/guest/welcome.sh
    PermitEmptyPasswords yes
    PasswordAuthentication yes
    PermitTTY no
    Subsystem sftp /bin/false
    DisableForwarding yes

    First of all, you need to disable TTY. Running client with ssh -t would allow an attacker to get shell access if your script did not exit properly or attacker found some way to escape it. The risk could've been worse if the script was interactive, taking user input.

    I think you should also disable SFTP subsystem as it could be used to transfer files to your system and potentially overwrite the script. The welcome.sh should ideally also be writable only by root to prevent this (or other methods of overwriting it).

    I didn't include this here, but using the chroot directory (ChrootDirectory) should restrict the potential filesystem access even further. Here's a guide on how you could set this up.

    Disabling X11 and TCP forwarding is a good practice, however there are some more stuff SSH can forward. That includes TUN devices (-w), StreamLocal (Unix-domain) and ssh agent (-A). To disable any forwarding, you may use DisableForwarding yes

    Here's full explanation of all SSH options (man page):
    https://man.openbsd.org/sshd_config

    And finally, just to be extra sure, I would run something like this on a server that doesn't have any important data or services running. Discovering a critical vulnerability in SSH is highly unlikely, but seeing recent events, you never really know...

    Thanked by 6BasToTheMax xvps cemalgnlts plumberg Murv Frameworks
  • xvpsxvps Member

    @oloke said:

    @cemalgnlts said: But what are the security implications? Could a user potentially escape the script execution and gain shell access to the system?

    Hi :)

    I think you are on good track with your current sshd configuration, however there are couple more things that you could consider:

    Match User guest
    ForceCommand /home/guest/welcome.sh
    PermitEmptyPasswords yes
    PasswordAuthentication yes
    PermitTTY no
    Subsystem sftp /bin/false
    DisableForwarding yes

    First of all, you need to disable TTY. Running client with ssh -t would allow an attacker to get shell access if your script did not exit properly or attacker found some way to escape it. The risk could've been worse if the script was interactive, taking user input.

    I think you should also disable SFTP subsystem as it could be used to transfer files to your system and potentially overwrite the script. The welcome.sh should ideally also be writable only by root to prevent this (or other methods of overwriting it).

    Many, including hosting providers, use an outdated version of OpenSSH that has a scp command injection vulnerability.

    Most of them ignore it, because it can't be used for privilege escalation in itself, and requires a valid login.

    In this case, it is important to keep your ssh up-to-date.

    Googled this simple exploit, so @cemalgnlts can test it:
    https://github.com/cpandya2909/CVE-2020-15778

    Thanked by 2oloke cemalgnlts
  • cemalgnltscemalgnlts Member

    @oloke Awesome, this is exactly what I was looking for, thanks!
    @xvps I'll keep that in mind, thanks.

    Thanked by 1oloke
  • stable_geniusstable_genius Member
    edited May 12

    @oloke said:
    And finally, just to be extra sure, I would run something like this on a server that doesn't have any important data or services running. Discovering a critical vulnerability in SSH is highly unlikely, but seeing recent events, you never really know...

    Using OpenBSD to host the ssh sessions would make it more secure. Running an OpenBSD VPS inside your Linux VPS is a possibility, you would probably not have kvm enabled in qemu but that may not be a problem in this very lightweight use case.

    Thanked by 1cemalgnlts
Sign In or Register to comment.