deo406 Posted September 9, 2014 Share Posted September 9, 2014 I don't know if this is a stupid easy question but I was wondering, is it possable to add a non-root user on the Pineapple Mark V. The reason why I want to be able to do this is to add another secure messure for when I have my SSH Tunnel set up to my server. For example, someone discovers my wifi pineapple and if they get my password from my Pineapple and SSH into it and then they would be able to SSH into my server without a password, that's what I am worried about since when they do, they have root privileges. Unless I am setting it up wrong... Any ideas? Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted September 10, 2014 Share Posted September 10, 2014 Give this a read: http://wiki.openwrt.org/doc/howto/secure.access That should answer your questions of how and maybe what else to implement. Quote Link to comment Share on other sites More sharing options...
fringes Posted September 11, 2014 Share Posted September 11, 2014 (edited) Give this a read: http://wiki.openwrt.org/doc/howto/secure.access That should answer your questions of how and maybe what else to implement. That's very useful Mr-Protocol, thanks. I don't agree with the "don't let the SSH server dropbear listen on the default port (22)" part, at least not as a security measure. There are other things you can do deo406 to help, and you are correct to be concerned. It sounds like you are worried about someone accessing your "relay server" by exploiting your pineapple. You absolutely do not want to add the pineapple's public key to the root account on your Internet facing server. In fact, if you are only using that key for the tunnel, create a special account on your server explicitly for the tunnel. (You can forward multiple ports over one tunnel by-the-way.) Then further protect that account by having it's shell be something like /bin/false. And you should also add options to the authorized_keys file entry for that account such as (no-agent-forwarding, no-pty, no-user-rc, no-X11-forwarding). There's a lot of information about this on Google. . Edited September 11, 2014 by fringes Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.