0

We have a CentOS 7 server running an application that uses telnet. Instead of opening up the port to allow direct telnet acccess we'd like a more secure option of users using SSH to login and connect to telnet from there.

However, these users don't need access to anything else, at all. Thus I was wondering if it is possible to either create a custom shell that automatically opens up the telnet interface, or to limit a shell to only allow the telnet command.

Ofcourse if there are other, better, solutions available I'd love to hear about those too!

The specific command they'd need access to is:

telnet <ip> 25568

whereas <ip> would be one of the few local ip adresses configured

xorinzor
  • 67
  • Are the users connecting with password or public key auth? Public key auth can force a specific command to be run. – thrig Nov 10 '16 at 16:48
  • using a password, not all users have the technical knowledge to use public keys unfortunately, thus for simplicity we've opted to use a username/password combination. Of course there is also the point that the IP parameter differs from time to time, running a single command wouldn't work in that case. – xorinzor Nov 10 '16 at 16:53
  • Sure, look at the chsh command. – jthill Nov 10 '16 at 16:55
  • Running a menu as their login shell that offers the choice of what to exec telnet ... to would be a likely option. – thrig Nov 10 '16 at 17:00
  • @thrig that sounds like a perfect solution, how would I go about configuring that? – xorinzor Nov 10 '16 at 17:01
  • http://unix.stackexchange.com/questions/185843/menu-script-over-ssh has sample code and http://unix.stackexchange.com/questions/250230/offer-or-push-menu-to-ssh-users shows two ways to present it – thrig Nov 10 '16 at 17:07
  • Could you add that as an answer to this post? It sounds like you've provided me with what I needed :) Thank you! – xorinzor Nov 10 '16 at 17:08

1 Answers1

1

One method would be to chsh their account to use something like the following as their login shell, which loops forever until an appropriate number is input, at which point the script replaces itself with the telnet call. You may want to disable the telnet escape code (telnet -E ...) if the commands offered there are problematical, and otherwise have a look at each option telnet offers to see if any of those should or should not be set. It may also be prudent to unset or specifically set certain environment variables carried along from the remote SSH client (e.g. PATH, locale settings, etc; inspect these with env > whatenvisset or such from the script).

#!/bin/bash

PS3='number for remote host: '

while :; do
  select ipaddr in 192.0.2.4 192.0.2.5 192.0.2.6; do
    if [[ -n "$ipaddr" ]]; then
        exec /usr/bin/telnet "$ipaddr" 25568
    fi
  done
done

This would be easy to automate remotely if necessary via expect though perhaps less pretty than using dialog to throw up a more graphical menu of options.

thrig
  • 34,938