minihows Freebsd – Build a very simple FreeBSD free shell server (English).


by dzup (19 dec 2008 UTC 6am)
zzerver@yahoo.com

On this minihowto, I will try to explain how to build a free shell service using FreeBSD.
The idea is to create a shell account on the system by means of logging into via ssh
using username “newuser” password “newuser”.
I’ve using FreeBSD and ‘sudo’ on this example; To keep this minihowto short and simple we are
not going to use ‘jails’, perhaps a little modification on this script maybe able to work on Linux.
Note: There are bunch of ways to do this, involving different levels of security and difficulty, keep in mind:
this is a “MINIHOWTO”, meaning is short and simple, you are welcome to add
sugestions@remarks, This is not the “facto”  method, use at your own risk.

First we need to create our directories, groups, user, quotas, etc.
as root:

touch /sbin/newshell.sh                  # create newshell.sh
chmod +x /sbin/newshell.sh               # change mode eXecute
echo "/sbin/newshell.sh" >> /etc/shells  # we add newshell.sh to list of valid shells
pw group add freeshell                   # we add our group freeshell
cd /home                                 # chdir to /home
mkdir userexample                        # create user to be use as a example
pw user add -n userexample -d /home/userexample -g freeshell -s /sbin/newshell.sh #create userexample
chown userexample:freeshell /home/userexample             # userexample:freeshell owns directory

Please define userexample quotas, it will be used to copy quotas to new users, use:
edquota userexample

then:
pw user add -n newuser  -g wheel -s /sbin/newshell.sh     # we create our main user
passwd newuser                                            # Enter 'newuser' as passwd (if you like)
pkg_add -r sudo                                           # install sudo.
echo "wheel    ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers    # dont askme for root password
pkg_add -r bash                                           # install bash if you dont have it

We are done, but there are some security issues I like to point out, I will not use jails at
this point ‘cuz like to keep it  short and simple, here are some suggestions:
If you planning a new install, suggest the following structure:
  /
  /swap
  /tmp
  /var
  /usr   #after you tweak your box in /etc/fstab mount this as read only.
  /home  #in /etc/fstab enable quotas for /home.
Programs like: yes, ping, sudo, who, top and others should be denial to users in group ‘freeshell’.
Restrictions on number of running process allowed.
If you use PHP turn ‘safe_mode’
…Others will apply.
Now all we need its the script, copy and paste the next code in /sbin and name it ‘/sbin/newshell.sh’
Here is the code:

#!/usr/local/bin/bash #change this to where bash is located.
# dzup ( zzerver [at] gmail.com )
# Dec 19 2008
echo "http://example.com"
echo "Enter your MOTD here"
echo "Example:"
echo "Welcome to my free ssh service!"
echo "to obtain a shell, please log in as:"
echo "username: newuser"
echo "password: newuser"
num2=`echo $RANDOM`  # create a ramdom number to avoid floods.
echo "Magic Number: $num2"
echo "What is the Magic Number?"
read num1
if [ "$num2" != "$num1" ] ; then
# Avoid Flows
echo "Sorry, Wrong Magic Number, try again ..."
read null
exit
fi
echo "Please enter your username"
echo "username: "
read usuario
if [ "$usuario" = "" ] ; then
# username is null.
echo "Invalid username, try again..."
echo "Press Enter to exit."
read null
exit
fi
hacklogin=`echo "$usuario" | tr -d "|;\140<>4247134176$"`
if [ ! "$usuario" == "$hacklogin" ] ; then
# dangerous caracteres.
echo "Invalid Username, try again ...n"
echo "Press Enter to exit."
read null
exit
fi
# verify if username already exist.
safelogin=`echo "$usuario"|tr -cd "[:alnum:]"`
password=`echo $RANDOM`
existe=`sudo cat /etc/master.passwd|sed 'y/[:]/[ ]/'|awk '{print   $1}'|grep $safelogin`
existe=`echo $?`
if [ "$existe" = 0 ] ; then
# username already in system.
echo "username: ' $safelogin ' already in our system, try again ... "
echo "Press Enter to exit."
read null
exit
fi
respuesta="Y"
echo "Ready to add $usuario in our system."
echo "confirm 'y' to yes, any other character to abort."
echo "by answering 'y' you agree to our terms and policies."
echo "Correct (y/n)?"
read correcto
if [ "$correcto" != "$respuesta" ] ; then
# didn't not accept our terms, so ...byebye.
echo "Aborting creation, thanks."
echo "(if this is an error, we was expecting ' $respuesta ' to create your shell, try again)."
echo "Press Enter to exit."
read null
exit
fi
# Lets create our new user.
echo "Creating $usuario ..."
sudo pw user add $safelogin -g  -d /home/$safelogin -n $safelogin -s /usr/local/bin/bash -L freeshell
sudo mkdir /home/$safelogin    #create his/her home
# lame way to get the new passwd, since its a minihowto wtf.
# i will like to ask for passwd before create user, hmm i fix that some other time.
echo "Please enter your password (twice):"
sudo passwd $safelogin
#now lets create the enviroment.
#note, at this time the user can enter blank passwds, which is a
#security issue, will be fix letter
#comments are welcome.
sudo mkdir /home/$safelogin/public_html               #create his/her http space.
sudo chown -R $safelogin:freeshell /home/$safelogin/ #he own everything in his home.
sudo chmod -R 705 /home/$safelogin                    #make sure nobody in our group can read my files
sudo chmod -R 775 /home/$safelogin/public_html/      #make sure apache can read public_html
sudo cp /etc/skel/.bash_profile /home/$safelogin     #cp skel(modify /etcskel/.bash_profile)
sudo chown -R $safelogin:freeshell /home/$safelogin/.bash_profile     # he/her own this
sudo edquota -p userexample $safelogin                #Copy user quotas from our userexample
sudo quotacheck -a                                   #lets update quotas database
echo "User succesfully created!"
echo "Thank you for registering with us."
echo "tu login into your new shell use: ssh -l $safelogin example.com"
echo -e "Press Enter to exit."
read null
exit

Save the above code in /sbin as newshell.sh, After you done that, you can ssh to your box
using ‘newuser’@’newuser’ combination and it will create a shell for you.
Notes: There are several ways to improbe this as you can see, this is the very basic idea,
Remember post your remarks/suggestion, they are always welcome.
thanks and good luck (adios)

2 comentarios

  1. […] un tutoriel sympathique décrivant comment créer un serveur de comptes shell avec FreeBSD. C’est *insecure* au possible mais la manip est sympa. « FreeBSD 7.1 […]

  2. Thank you.

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s

A %d blogueros les gusta esto: