Turn off echo in a terminal
Imagine you are writing a shell script that requires the user to input confidential information, lets say a password.
The user wont feel comfortable if the password is echoed on the screen like a simple text. If you ever used expect interactive scripting, you know for sure this kind of problem.
Don’t worry, its amazingly easy to perform this trick and stop echoing whatever the user types on the screen.
Simply add the following line to your script:
stty -echo
and you are done. The stty output will go offline. Let’s see an example:
#!/bin/bash
echo Hello
stty -echo
# do what ever you want to do
echo 'I slept with your girlfriend'
stty echo
echo Bye
exit 0;
That’s it! Just remember to put it back to normal with the following command:
stty echo
Also, it would be helpful for you to read the whole man page for stty.
$ man stty
Linux Restricted Shell
This is typical situation, you created users that were intended to stay in their /home
environment, however they seem to have a knack of poking around all your server directories.
A restricted shell is a Unix shell that has been modified to allow the Unix shell user to do fewer things than a normal shell would allow him to do. Restricted shells allow you to control the user’s environment allowing only specific admin-aproved commands.
rssh behaves identically to bash with the exception that at least one of the following commands are allowed:
scp – secure copy
sftp – secure FTP
cvs – control versions system
rsync – sync filesystem
rdist – backup utility
Is available through yum in fedora and apt-get in debian. Also you can get a fresh copy from the official website (http://dragontoe.org/rssh/)
In fedora:
# yum install rssh
In Debian:
# apt-get install rssh
Now rssh is installed by default it’s configuration will lock down everything including any sort of access. We need to set up the configuration file. The default file is located at /etc/rssh.conf
For example, I only want to allow only scp and sftp to my server. Also I’m leaving some commented lines for future usage, just in case.
allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync
There is no rssh service and the configuration is read on the fly.
Next logical step is to add some users.
# useradd -m -d /home/sara -s /usr/bin/rssh sara
Or if the user already exists, use chmod to assign the restricted shell.
# usermod -s /usr/bin/rssh sara
Now, lets say if sara tries to connect the server with ssh or telnet
a message like the following will appear.
This account is restricted by rssh.
Allowed commands: scp sftp
If you believe this is in error, please contact your system administrator.
Connection to localhost closed.
rssh is a simple way to implement security on your server and rather than a unbreakable security measure, rssh is just the start to forge a secure server. It should be awesome if you could also include a unix jail or a custom restricting script written in your favorite programming language.
Just remember to never underestimate the ingenuity of your users.
Good luck!