Remote command in PuTTY

d_brodie · August 31, 2018, 4:48pm

I have an issue with all of my AIX servers where a user can execute a remote command (bash in this case) using PuTTY and bypass all of the application security that we setup in the users .profile. How do I secure this without breaking the rest of the users?

RudiC · August 31, 2018, 4:59pm

Welcome to the forum.

Data, please. Show the remote access and how it is achieved, the users authentication model / process, his/her authorizations, the .profile. This way you'll get more detailed and precise answers back than when people are just guessing.

d_brodie · August 31, 2018, 5:41pm

in the PuTTY connect dialog box under connection -> ssh the user enters "bash -norc" in the Remote command box and then clicks open. I'd post the image but I'm not allowed yet .

bakunin · September 1, 2018, 2:37am

Sorry, but i don't understand: PuTTY is a SSH-client which i use myself. If the user can connect to a system and execute bash -norc that means he has

1) identified himself to the system (by password, SSH-key, whatever)
2) has the right to execute whatever it is he executes

What exactly is breaking the security now? And, finally, if you don't want users to use bash why do you install it onto the system? AIX has Korn shell as the system default and you can either deinstall bash or disable its use as login shell in /etc/security/login.cfg .

I hope this helps.

bakunin

d_brodie · September 1, 2018, 6:16am

Yes the user has a valid login and can login normally but a snippet of the .profile may help explain.

the .profile has:

--------------------------------------------------------------------

stty erase ^H
stty intr '^c' kill '^x' erase '^h' quit '^_' susp '' dsusp '' echoe ixon -parit
y

case $TERM in
        "vp")
                TERM=vp60
                export TERM
                ;;
        "unknown")
                TERM=vp60
                export TERM
                ;;
        *)
                ;;
esac
MEDA=${MEDA:=/opt/meda}
OPENWINHOME=${OPENWINHOME:=/usr/openwin}
UVHOME=/u1/uv/bin:/u1/mpsc/bin:/u1/mpsc/custom
MANPATH=${MANPATH:=/usr/share/man:${OPENWINHOME}/share/man}
PATH=.:${UVHOME}:${OPENWINHOME}/bin:${MEDA}/bin:/bin:/usr/bin:/usr/sbin:/usr/loc
al/bin:/usr/ucb:/apps/local/bin

PS1='$LOGNAME $PWD $ '
export MANPATH PATH UVHOME OPENWINHOME MEDA TERM PS1if [ `tty` = /dev/console ]; then
        exec ${OPENWINHOME}/bin/openwin
else
        if [ -d /u1/LOGIN ]; then
#               /apps/local/bin/inform.ksh
                cd /u1/LOGIN
                exec /u1/uv/bin/uv
        fi
fi
----------------------------------------

The key to the issue is the the "exec /u1/uv/bin/uv" forces them into the application where they a trapped and cannot execute any UNIX commands.

RudiC · September 1, 2018, 6:44am

Slowly but constantly we seem to get down to the real question. Nothing to do with PuTTy .

You want to prevent people from circumventing the lock to your application.

Did you consider assigning the respective user(s) a "restricted shell" in their /etc/passwd entry?

bakunin · September 1, 2018, 4:27pm

Or, maybe, the application itself?

In AIX there is a file /etc/profile which should always be executed. Put a read-only variable ENV there and set it to a rc-script which starts the application.

I hope this helps.

bakunin

RudiC · September 1, 2018, 5:56pm

@bakunin: I was thinking of the same proposal, but s/he seems to need two options to exec , depending on what terminal s/he's logging in from.

d_brodie · September 5, 2018, 5:36am

Thanks all, it looks like a restricted shell is the answer. Now on to implement it for the users without breaking anything.