Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to realize the permissions of users who log on to the Linux server remotely with SSH". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

In order to meet the needs of "break qiang", it is a very common method to set up a ssh login user on a foreign Linux host (such as DreamHost) and use ssh's Tunnel as a proxy.

But the owner often wants to minimize the user rights in order to avoid the impact on the system. The easiest way is to disable users from logging in.

In fact, ssh can connect to sshd without executing remote commands (the default is to start the user-set shell), just use the-N parameter.

Create a username on the server:

Add the user: useradd-s / bin/false username, and set the user's shell to / bin/false. In this way, the user cannot interact with the system.

Set password: passwd username

Of course, for existing users, you can also change the user permissions to be forwarded only by tcp:

The code is as follows:

Usermod-s / bin/false USERNAME

You can also use / usr/bin/passwd as the user's shell, so that the user can change the password by logging in. Note that the line / usr/bin/passwd needs to be written into the / etc/shells file.

After the sshd authentication is completed, it will check whether the set shell is registered in the / etc/shells file, if it has been registered, then fork itself, and then the child process out of fork will shell the exec setting. The-N parameter of ssh tells sshd that there is no need to execute shell.

Establish a Tunnel:

The code is as follows:

Ssh-D 1080-qfnN username@hostname

You can use it by entering your password (you can also use key authentication).

For Windows, you can use plink.exe or MyEnTunnel (MyEnTunnel essentially uses plink.exe to build Tunnel).

At this time, the account username can use TcpForwarding through the authentication of sshd, but it cannot run shell or interact with the system. Just can be used to provide foreign agent break qiang for friends.

Detailed description of parameters:

-D 1080 establishes dynamic Tunnel and listens on local port 1080.

-Q quiet mode.

-f ssh runs in the background, that is, after authentication, ssh returns to the background.

-n redirects stdio to / dev/null for use with-f.

-N does not run remote programs. That is, notify sshd not to run the set shell.

This is the end of the content of "how to realize the permissions of users who log in to the Linux server remotely with SSH". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.