useradd on Pineapple for ssh tunnel

[deo406]

I don't know if this is a stupid easy question but I was wondering, is it possable to add a non-root user on the Pineapple Mark V. The reason why I want to be able to do this is to add another secure messure for when I have my SSH Tunnel set up to my server. For example, someone discovers my wifi pineapple and if they get my password from my Pineapple and SSH into it and then they would be able to SSH into my server without a password, that's what I am worried about since when they do, they have root privileges. Unless I am setting it up wrong... Any ideas?

[Mr-Protocol]

Give this a read: http://wiki.openwrt.org/doc/howto/secure.access

That should answer your questions of how and maybe what else to implement.

[fringes]

Give this a read: http://wiki.openwrt.org/doc/howto/secure.access

That should answer your questions of how and maybe what else to implement.

That's very useful Mr-Protocol, thanks. I don't agree with the "don't let the SSH server dropbear listen on the default port (22)" part, at least not as a security measure.

There are other things you can do deo406 to help, and you are correct to be concerned. It sounds like you are worried about someone accessing your "relay server" by exploiting your pineapple. You absolutely do not want to add the pineapple's public key to the root account on your Internet facing server. In fact, if you are only using that key for the tunnel, create a special account on your server explicitly for the tunnel. (You can forward multiple ports over one tunnel by-the-way.) Then further protect that account by having it's shell be something like /bin/false. And you should also add options to the authorized_keys file entry for that account such as (no-agent-forwarding, no-pty, no-user-rc, no-X11-forwarding). There's a lot of information about this on Google.

.

Edited September 11, 2014 by fringes