H@L0_F00 Posted December 6, 2008 Share Posted December 6, 2008 Alright so I'm planning on setting up and SSH server on my Ubuntu desktop machine to use mainly as a proxy while at school. (SSH encryption = probably won't get blocked) I was thinkin about tellin a couple of my friends about it and having them pay, probably weekly ($2?), to use it. But then I realized they would have to have admin access to SSH to the server :( (and I'm not about to give them the sysadmin pass...) I was just wondering if anybody here knows of a way to SSH w/o cmd? (It's probably not even possible as I couldn't find anything about it on google but it's worth a try) Any help is greatly appreciated and thanks in advance ;) Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 6, 2008 Share Posted December 6, 2008 Alright so I'm planning on setting up and SSH server on my Ubuntu desktop machine to use mainly as a proxy while at school. (SSH encryption = probably won't get blocked) I was thinkin about tellin a couple of my friends about it and having them pay, probably weekly ($2?), to use it. But then I realized they would have to have admin access to SSH to the server :( (and I'm not about to give them the sysadmin pass...) I was just wondering if anybody here knows of a way to SSH w/o cmd? (It's probably not even possible as I couldn't find anything about it on google but it's worth a try) Any help is greatly appreciated and thanks in advance ;) Rule 1 of SSH: root login needs to equal off. Rule 2 of SSH: user names should not be guessable names. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted December 6, 2008 Author Share Posted December 6, 2008 yeah i know :P but you don't know of any software that can login to SSH w/o the use of cmd? :( Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 6, 2008 Share Posted December 6, 2008 yeah i know :P but you don't know of any software that can login to SSH w/o the use of cmd? :( FileZilla, but that's just a fount end to what it ultimately command line. I think your asking the wrong question, I'm not sure what question you are trying to ask, but the answer is "no" to the one you are currently asking. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted December 6, 2008 Author Share Posted December 6, 2008 alright :( so for something like this what would you recommend? PHProxy? CGI? w/ SSL to *somewhat* stop the sysadmin from realizing its a proxy? Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 6, 2008 Share Posted December 6, 2008 alright :( so for something like this what would you recommend? PHProxy? CGI? w/ SSL to *somewhat* stop the sysadmin from realizing its a proxy? Well, the server logs will show lots of web traffic to this server and if they pay attention to usage logs they will probably wonder "what's over here" and go there. SSL only makes a difference if you install your root certificate into your browser which will make your browser think that any site that uses a certificate signed by you is as trusted as a certificate signed by verisign. This is good for when you are using open wifi as the simplest and least stable form of secure browsing, not so good for hiding what you are doing in a school environment. You could add a basic auth username/password to it, but there are ways around that and if you don't add your CA root certificate to the browser there is no way to detect it's been 'worked around'. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted December 6, 2008 Author Share Posted December 6, 2008 Well, the server logs will show lots of web traffic to this server and if they pay attention to usage logs they will probably wonder "what's over here" and go there. SSL only makes a difference if you install your root certificate into your browser which will make your browser think that any site that uses a certificate signed by you is as trusted as a certificate signed by verisign. This is good for when you are using open wifi as the simplest and least stable form of secure browsing, not so good for hiding what you are doing in a school environment. You could add a basic auth username/password to it, but there are ways around that and if you don't add your CA root certificate to the browser there is no way to detect it's been 'worked around'. what would you suggest though? Quote Link to comment Share on other sites More sharing options...
PLuNK Posted December 6, 2008 Share Posted December 6, 2008 Setup a Squid proxy onto the host, Then tunnel your traffic through the port Squid uses. Configure Firefox to use a SOCKS tunnel. Don't login as root either, Create some more accounts for public use. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted December 6, 2008 Author Share Posted December 6, 2008 Setup a Squid proxy onto the host, Then tunnel your traffic through the port Squid uses. Configure Firefox to use a SOCKS tunnel. Don't login as root either, Create some more accounts for public use. Thanks! That looks like exactly what I need! :D I'll be trying it either tonight or tomorrow Quote Link to comment Share on other sites More sharing options...
PLuNK Posted December 6, 2008 Share Posted December 6, 2008 Not 100% sure if you need a Squid proxy to handle the request on the hosts end though, But shouldn't be to hard to configure. Read up on "-D" option in the manual pages for SSH. Quote Link to comment Share on other sites More sharing options...
aeturnus Posted December 6, 2008 Share Posted December 6, 2008 Not 100% sure if you need a Squid proxy to handle the request on the hosts end though, But shouldn't be to hard to configure. Read up on "-D" option in the manual pages for SSH. No, you don't need to set up Squid. He also won't need to give his root password to anyone. If you plan to do this from school or some place that you don't have Linux available to you, I'd suggest checking out Putty for your SSH client. It's just a simple exe that you can download and run. You will still need to specify a SOCKS proxy in whatever application you're trying to run though. Quote Link to comment Share on other sites More sharing options...
Joerg Posted December 6, 2008 Share Posted December 6, 2008 Why don't you create a user with the shell "/bin/false" (no shell access) and give it practically no read/write permissions? Then you could create a key pair and give that to your friends, which enables login without knowing the password. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted December 7, 2008 Author Share Posted December 7, 2008 No, you don't need to set up Squid. He also won't need to give his root password to anyone. If you plan to do this from school or some place that you don't have Linux available to you, I'd suggest checking out Putty for your SSH client. It's just a simple exe that you can download and run. You will still need to specify a SOCKS proxy in whatever application you're trying to run though. putty still uses cmd though, am I wrong? I need a way for people with almost NO technolust ;) to be able to use this. I wouldn't mind showing them how to use putty or another simple app to use it but it needs to be done without access to cmd Quote Link to comment Share on other sites More sharing options...
PLuNK Posted December 7, 2008 Share Posted December 7, 2008 Well Putty is very "odd" I prefer a CLI. But Putty should be able to be used without any privileges. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted December 7, 2008 Author Share Posted December 7, 2008 Great! I still have a bit of a problem though The desktop running Ubuntu 8.10 is in my house and connected to my laptop. Laptop is connected to my neighbors router wirelessly (also into hacking, cracking, etc.). The desktop shares internet w/ laptop via ICS. It would cost too much to have them both on all day along w/ his router so we decided we'll probably put the SSH server in his house to alleviate some power consumption and any ip conflicts that would probably result in trying to run a server from router--->laptop--->desktop. I've heard about and messed around w/ NAT (think that's what it's called) but I never could get it to work for what I understood it to do lol so I guess my question is, to run an SSH server through his ADSL modem and Belkin router what would I have to do? Quote Link to comment Share on other sites More sharing options...
PLuNK Posted December 7, 2008 Share Posted December 7, 2008 Well open port 22 or whatever port you've changed it to.. (Which you need to do!) That's it. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted December 7, 2008 Author Share Posted December 7, 2008 hmmm alright thanks for the help! ;) Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 7, 2008 Share Posted December 7, 2008 Well open port 22 or whatever port you've changed it to.. (Which you need to do!) That's it. Don't open port 22, open port 36228. Quote Link to comment Share on other sites More sharing options...
aeturnus Posted December 7, 2008 Share Posted December 7, 2008 putty still uses cmd though, am I wrong? I need a way for people with almost NO technolust ;) to be able to use this. I wouldn't mind showing them how to use putty or another simple app to use it but it needs to be done without access to cmd I'm not really sure what you mean by "without access to cmd". If you mean, you don't want the end users to enter any commands into a shell, then you can allow users to log in using certificates and have their computer connect on start up. Doing this will allow them to SSH into your box without any user interaction. If you're coming from a Windows perspective and you don't want them to use the "cmd" prompt, then Putty has a GUI. I believe plink is the CLI version. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted December 7, 2008 Author Share Posted December 7, 2008 Don't open port 22, open port 36228. im not sure thats possible though. I'll have to see if it's forwarded on the proxy server that all the school computers *have to* connect to to reach the internet. and by no cmd access i mean that the sysadmin has disabled any and all access to command prompt through group policies. and to stop people from executing unwanted commands I could just make a user group with a high UID right? Quote Link to comment Share on other sites More sharing options...
Joerg Posted December 7, 2008 Share Posted December 7, 2008 Was my post above useful or useless? Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 7, 2008 Share Posted December 7, 2008 im not sure thats possible though. I'll have to see if it's forwarded on the proxy server that all the school computers *have to* connect to to reach the internet. and by no cmd access i mean that the sysadmin has disabled any and all access to command prompt through group policies. and to stop people from executing unwanted commands I could just make a user group with a high UID right? Windows doesn't have a SSH client built in. You have to use a SSH client like PuTTY. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted December 7, 2008 Author Share Posted December 7, 2008 Was my post above useful or useless? sorry lol so I'll just create multiple accounts with shell "/bin/false" and no rw access? Because I'm thinking about having them pay weekly to use it and if they don't I'll just disable/remove their account and is there a way to add which accounts can't be logged into through ssh like the /etc/ftpusers file for ftp logins so i don't have to remove their account to disable access if they don't pay? Quote Link to comment Share on other sites More sharing options...
X3N Posted December 8, 2008 Share Posted December 8, 2008 sorry lol so I'll just create multiple accounts with shell "/bin/false" and no rw access? Because I'm thinking about having them pay weekly to use it and if they don't I'll just disable/remove their account and is there a way to add which accounts can't be logged into through ssh like the /etc/ftpusers file for ftp logins so i don't have to remove their account to disable access if they don't pay? man if your friends are stupid enough to pay 2 bucks a week for access then thats great for you but sucks for them...for that money you could get some ssh or vpn access elsewhwere...thats actually secure... your best bet is the keypairing though if your going to use ssh to do this... Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted December 8, 2008 Author Share Posted December 8, 2008 man if your friends are stupid enough to pay 2 bucks a week for access then thats great for you but sucks for them...for that money you could get some ssh or vpn access elsewhwere...thats actually secure... your best bet is the keypairing though if your going to use ssh to do this... I've already got a couple buyers :P but I'll have to look into keypairing Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.