Re: PLINK and/or PuTTY -- Logon to Linux with no Privileges


"Hal Vaughan" <hal@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:ftSdnSyGnf_rF4LZnZ2dnUVZ_s6dnZ2d@xxxxxxxxxxxxxx
I need a forwarding application that people I'm working with can run from
behind restrictive firewalls so VNC can be tunneled through it. I figured
it would be possible to use putty or plink on port 443 so it would look
like HTTPS to a firewall (is that right -- will the firewall think
encrypted data from putty/plink is the same as HTTPS?).

There are firewalls that can detect this sort of thing, but not many that
bother with that sort of smarts.

The biggest problem I see is that I'll have several different people using
putty or plink to log into my system and there is no need for them to
actually have access to anything (other than the ability to log out). All
I need is the port forwarding.

Hmm. Does your network staff know you're doing this sort of stunt? Perhaps
you can convince them to open up the standard VNC ports for you instead of
trying to work around them, rather than having to sneak behind their backs
and maybe cause them to get really cranky at you if they find you're
drilling holes past their firewalls without their knowledge? Your desire is
reasonable: I hope your network staff is reasonable and can help you get it
done.

It's possible to set up SSH in a chroot cage for more thorough restriction,
or to use a sort-of-restrictive shell for the users. Check out the projects
on sourceforge like http://sourceforge.net/projects/chrootssh. But I highly
recommend Richard Silverman's book on SSH for this sort of detailed
question. He spends time on this newsgroup, and it's well worth the price of
the book for the depth and breadth of its information.

I'm running Linux. Is there a way to set up a restricted login (even if I
have to kill it with a kill command instead of them logging out) for putty
or plink? Or is there a way to set up an account for others to log in to
that has no rights except the ability to log out?

Not..... trivially. It's theoretically possible, for example, to set up a
restricted login binary to do just this, but a lot of "restricted shells"
have just been badly written shell scripts that were easily broken out of
because, well, they're shell scripts! And it can get complex if you are
using a universal authentication method like LDAP to manage accounts, since
the information about their login from LDAP?à6 conflict with the setup you
want to have them restricted to.


.

Relevant Pages

  • Re: Secure VNC from Windows?
    ... though I generally prefer PuTTY's command line tool (Plink) for this - ... Setup PuTTY or Plink to forward a local port to the VNC port on your remote ... Then use your preferred VNC viewer and connect to that port over ...
    (Debian-User)
  • Re: PLINK and/or PuTTY -- Logon to Linux with no Privileges
    ... There are firewalls that can detect this sort of thing, ... We've tried just regular VNC, with no luck, then tried it on port 80, ... were easily broken out of because, well, they're shell scripts! ...
    (comp.security.ssh)
  • Re: How to Stealth POP3 Port 110 using NIS2000?
    ... > What do you want to protect by 'stealth-ports'? ... > stealthed port protects your privacy, 'cause I really don't get it. ... I can't answer that as I am no expert on firewalls. ...
    (comp.security.firewalls)
  • Re: How to Stealth POP3 Port 110 using NIS2000?
    ... >> how a stealthed port protects your privacy, 'cause I really don't get it. ... > I can't answer that as I am no expert on firewalls. ... The only thing you risk when not stealthing port 110 is for people to find ...
    (comp.security.firewalls)
  • Re: firewall question
    ... > I posted this to the security basics list but nobody answered the ... > answer since they are the ones who have to get around firewalls. ... > connection to me via netcat with a destination port of 80, ... > SecurityFocus' SIA service which automatically alerts you to the ...
    (Pen-Test)