“Commandless” ssh key

May 7, 2010

I just wanted to create an ssh key that can be used only for port forwarding and the user couldn’t login to the machine.

I think as a first attempt i managed to do that, just by putting the following options to the public part of the key and then adding it to .ssh/authorized_keys. The 2 options are: command=”",no-pty

Port forward seems to work ok, and no matter which command i try to execute nothing happens. :)

Posted by aristotelhs
Filed in English, Tech, Uncategorized
Leave a Comment »

Simple Backup Server using ftp

January 8, 2010

At work I had to set up as fast as possible a server to be acting as a backup for some of our main servers.

So this post is about setting up a “poor mans” backup server using FTP.

  1. Grab your favourite OpenBSD distro
  2. add the ftp user and group account:
    backup:*:1000:1000:Ftp Backup Account:/backup:/sbin/nologin
  3. add the account to /etc/ftpchroot
  4. Add the new class for setting the file creation mask for this account:
    backup:\
    :umask=0777:\
    :tc=default:
  5. add the login class to /etc/master.passwd  (with vipw) for the account
  6. create the $HOME directory for the user
    mkdir /backup
    chown backup:backup /backup
  7. create the different directories for the backup
    mkdir /backup/machine1
    mkdir /backup/machine2
    chown -R backup:backup /backup
    chmod -R 300 /backup
  8. Apply the following patch to ftpd :

    diff -Naur /usr/src/libexec/ftpd/ftpcmd.y ./ftpd/ftpcmd.y
    --- /usr/src/libexec/ftpd/ftpcmd.y      Thu Nov  5 16:43:15 2009
    +++ ./ftpd/ftpcmd.y     Tue Nov 10 16:50:04 2009
    @@ -82,6 +82,7 @@
    extern int portcheck;
    extern union sockunion his_addr;
    extern int umaskchange;
    +extern  int no_dele;

    off_t  restart_point;

    @@ -394,10 +395,16 @@
    }
    | DELE check_login SP pathname CRLF
    {
    -                       if ($2 && $4 != NULL)
    -                               delete($4);
    -                       if ($4 != NULL)
    -                               free($4);
    +                        if (no_dele) {
    +                                reply(550,
    +                                    “No permission to delete files”);

    +                        }
    +                        else {
    +                                if ($2 && $4 != NULL)
    +                                        delete($4);
    +                                if ($4 != NULL)
    +                                        free($4);
    +                        }
    }
    | RNTO check_login SP pathname CRLF
    {
    diff -Naur /usr/src/libexec/ftpd/ftpd.c ./ftpd/ftpd.c
    — /usr/src/libexec/ftpd/ftpd.c        Thu Nov  5 16:43:16 2009
    +++ ./ftpd/ftpd.c       Tue Nov 10 16:51:13 2009
    @@ -154,6 +154,7 @@
    #endif
    mode_t defumask = CMASK;               /* default umask value */
    int    umaskchange = 1;                /* allow user to change umask value. */
    +int     no_dele = 0 ;          /* disallow ftp delete */
    char   tmpline[7];
    char   hostname[MAXHOSTNAMELEN];
    char   remotehost[MAXHOSTNAMELEN];
    @@ -252,13 +253,13 @@
    return (guest ? path+1 : path);
    }

    -char *argstr = “AdDhnlMSt:T:u:UvP46″;
    +char *argstr = “AdDhnlMSt:T:u:UvP46p”;

    static void
    usage(void)
    {
    syslog(LOG_ERR,
    -           “usage: ftpd [-46ADdlMnPSU] [-T maxtimeout] [-t timeout] [-u mask]“);
    +           “usage: ftpd [-46ADdlMnPSUp] [-T maxtimeout] [-t timeout] [-u mask]“);
    exit(2);
    }

    @@ -371,7 +372,9 @@
    case ’6′:
    family = AF_INET6;
    break;
    -
    +                case ‘p’:
    +                        no_dele = 1;
    +                        break;
    default:
    usage();
    break;

  9. start ftpd in inetd.conf with the new option:
    ftp             stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -USnp -u 0777

I put the permission of all folders as d-wx—— so that the user can create the necessary files but not being able to list the files that already exist. FTP is not an encrypted protocol, and even if all the tranfers are done in the local network I have the paranoia that someone might sniff the username/password. Being unable to list the files just gives a smaller surface of attacks. All the files created have mode 000 , so that after the file creation the file cannot be tampered. Finaly the purpose of the patch is to prevent someone from sniffing the password and logging in to the backup server and removing all the backup files (not much for a backup solution, is it then?? ;) ).

After setting up the “backup server”, i installed scripts to the servers in order to push there their backup data.

Not the best solution, but having this ready in < 1 hour, was really ok :)

Posted by aristotelhs
Filed in Uncategorized
Leave a Comment »

Error source quote updated to the recent fires.

August 30, 2009

The famous quote for errors :

«At the source of every error which is blamed on the computer, you will find at least two human errors, including the error of blaming it on the computer

has been adapted by a friend for the recent fires and the reaction of the press officer you blamed the forest:

«At the source of every fire which is blamed on the forest, you will find at least two human errors, including the error of blaming it on the forest.

.

Credits to stef.

Posted by aristotelhs
Filed in Uncategorized
Leave a Comment »

About this blog ..

October 26, 2006

3ή προσπάθεια για blog. Δεν ξέρω πόσο θα κρατήσει και πόσο όχι. Ως τώρα 2 blogs άνοιξα .. και τα έκλεισα μετά από λίγο λόγο βαρεμάρας και έλλειψης χρόνου.

Γιατί το όνομα?? Γιατί είναι ίσως η αγαπημένη μου παροιμία (στην οποία έχω και visual representation στο μυαλό μου), και επίσης εκφράζει σε μεγάλο βαθμό το πώς αντιλαμβάνομαι πράγματα που γίνονται γύρω μου. The category of my life :p

See you in the blog-universe

Posted by aristotelhs
Filed in Greek, Uncategorized
2 Comments »
Follow

Get every new post delivered to your Inbox.