sahin/sahinakkaya.dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
09744b9b34
sahinakkaya.dev/2022/02/27/creating-a-useless-user.html
sahinakkaya 2ab0da8276 jekyll build from Action e9bb986110
2023-01-16 10:51:46 +00:00

649 lines
19 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<!--
Minimal Mistakes Jekyll Theme 4.24.0 by Michael Rose
Copyright 2013-2020 Michael Rose - mademistakes.com | @mmistakes
Free for personal and commercial use under the MIT license
https://github.com/mmistakes/minimal-mistakes/blob/master/LICENSE
--><html lang="en" class="no-js">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<!-- begin _includes/seo.html --><title>Creating a Useless User - Şahin Akkayas Personal Page</title>
<meta name="description" content="Story In my previous post, I explained how to do port forwarding to access some machine behind private network. I will use this method to fix some issues in our desktop at home or my girlfriends computer. Now, of course I dont want to give them access to my server. But they also need to have a user in my server to be able to perform port forwarding via ssh. So I wanted to create a user with least privileges to make sure nothing goes wrong.">
<meta name="author" content="Şahin Akkaya">
<meta property="article:author" content="Şahin Akkaya">
<meta property="og:type" content="article">
<meta property="og:locale" content="en_US">
<meta property="og:site_name" content="Şahin Akkaya's Personal Page">
<meta property="og:title" content="Creating a Useless User">
<meta property="og:url" content="https://sahinakkaya.dev/2022/02/27/creating-a-useless-user.html">
<meta property="og:description" content="Story In my previous post, I explained how to do port forwarding to access some machine behind private network. I will use this method to fix some issues in our desktop at home or my girlfriends computer. Now, of course I dont want to give them access to my server. But they also need to have a user in my server to be able to perform port forwarding via ssh. So I wanted to create a user with least privileges to make sure nothing goes wrong.">
<meta property="article:published_time" content="2022-02-27T13:40:00+00:00">
<link rel="canonical" href="https://sahinakkaya.dev/2022/02/27/creating-a-useless-user.html">
<script type="application/ld+json">
{
"@context": "https://schema.org",
"@type": "Person",
"name": null,
"url": "https://sahinakkaya.dev/"
}
</script>
<!-- end _includes/seo.html -->
<link href="/feed.xml" type="application/atom+xml" rel="alternate" title="Şahin Akkaya's Personal Page Feed">
<!-- https://t.co/dKP3o1e -->
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<script>
document.documentElement.className = document.documentElement.className.replace(/\bno-js\b/g, '') + ' js ';
</script>
<!-- For all browsers -->
<link rel="stylesheet" href="/assets/css/main.css">
<link rel="preload" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5/css/all.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'">
<noscript><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5/css/all.min.css"></noscript>
<!-- start custom head snippets -->
<!-- insert favicons. use https://realfavicongenerator.net/ -->
<!-- end custom head snippets -->
</head>
<body class="layout--single">
<nav class="skip-links">
<ul>
<li><a href="#site-nav" class="screen-reader-shortcut">Skip to primary navigation</a></li>
<li><a href="#main" class="screen-reader-shortcut">Skip to content</a></li>
<li><a href="#footer" class="screen-reader-shortcut">Skip to footer</a></li>
</ul>
</nav>
<!--[if lt IE 9]>
<div class="notice--danger align-center" style="margin: 0;">You are using an <strong>outdated</strong> browser. Please <a href="https://browsehappy.com/">upgrade your browser</a> to improve your experience.</div>
<![endif]-->
<div class="masthead">
<div class="masthead__inner-wrap">
<div class="masthead__menu">
<nav id="site-nav" class="greedy-nav">
<a class="site-title" href="/">
/home/sahin/
</a>
<ul class="visible-links">
<li class="masthead__menu-item">
<a href="/">Home</a>
</li>
<li class="masthead__menu-item">
<a href="/about/">About</a>
</li>
<li class="masthead__menu-item">
<a href="/contact/">Contact</a>
</li>
</ul>
<button class="search__toggle" type="button">
<span class="visually-hidden">Toggle search</span>
<i class="fas fa-search"></i>
</button>
<button class="greedy-nav__toggle hidden" type="button">
<span class="visually-hidden">Toggle menu</span>
<div class="navicon"></div>
</button>
<ul class="hidden-links hidden"></ul>
</nav>
</div>
</div>
</div>
<div class="initial-content">
<div id="main" role="main">
<div class="sidebar sticky">
<div itemscope itemtype="https://schema.org/Person">
<div class="author__avatar">
<img src="/assets/images/logo.jpg" alt="Şahin Akkaya" itemprop="image">
</div>
<div class="author__content">
<h3 class="author__name" itemprop="name">Şahin Akkaya</h3>
<div class="author__bio" itemprop="description">
<p>A perfectionist who likes to tinker everything until it is just right.</p>
</div>
</div>
<div class="author__urls-wrapper">
<button class="btn btn--inverse">Follow</button>
<ul class="author__urls social-icons">
<li itemprop="homeLocation" itemscope itemtype="https://schema.org/Place">
<i class="fas fa-fw fa-map-marker-alt" aria-hidden="true"></i> <span itemprop="name">Istanbul, Turkey</span>
</li>
<li><a href="https://github.com/sahinakkaya" rel="nofollow noopener noreferrer"><i class="fab fa-fw fa-github" aria-hidden="true"></i><span class="label">sahinakkayadev</span></a></li>
<li><a href="https://stackoverflow.com/users/9608759" rel="nofollow noopener noreferrer"><i class="fab fa-fw fa-stack-overflow" aria-hidden="true"></i><span class="label">Asocia</span></a></li>
<li><a href="https://twitter.com/sahinakkayadev" rel="nofollow noopener noreferrer"><i class="fab fa-fw fa-twitter-square" aria-hidden="true"></i><span class="label">@sahinakkayadev</span></a></li>
<li><a href="mailto:sahin@sahinakkaya.dev" rel="nofollow noopener noreferrer"><i class="fas fa-fw fa-envelope" aria-hidden="true"></i><span class="label">sahin@sahinakkaya.dev</span></a></li>
<li><a href="/assets/docs/resume.pdf" rel="nofollow noopener noreferrer"><i class="fas fa-fw fa-id-card" aria-hidden="true"></i><span class="label">Resume</span></a></li>
<!--
<li>
<a href="http://link-to-whatever-social-network.com/user/" itemprop="sameAs" rel="nofollow noopener noreferrer">
<i class="fas fa-fw" aria-hidden="true"></i> Custom Social Profile Link
</a>
</li>
-->
</ul>
</div>
</div>
</div>
<article class="page" itemscope itemtype="https://schema.org/CreativeWork">
<meta itemprop="headline" content="Creating a Useless User">
<meta itemprop="description" content="StoryIn my previous post, I explained how to do port forwarding to access some machine behind private network. I will use this method to fix some issues in our desktop at home or my girlfriends computer. Now, of course I dont want to give them access to my server. But they also need to have a user in my server to be able to perform port forwarding via ssh. So I wanted to create a user with least privileges to make sure nothing goes wrong.">
<meta itemprop="datePublished" content="2022-02-27T13:40:00+00:00">
<div class="page__inner-wrap">
<header>
<h1 id="page-title" class="page__title" itemprop="headline">Creating a <em>Useless</em> User
</h1>
<p class="page__meta">
<span class="page__meta-date">
<i class="far fa-calendar-alt" aria-hidden="true"></i>
<time datetime="2022-02-27T13:40:00+00:00">February 27, 2022</time>
</span>
<span class="page__meta-sep"></span>
<span class="page__meta-readtime">
<i class="far fa-clock" aria-hidden="true"></i>
1 minute read
</span>
</p>
</header>
<section class="page__content" itemprop="text">
<h2 id="story">Story</h2>
<p>In my <a href="/2022/02/26/ssh-into-machine-that-is-behind-private-network.html">previous post</a>, I explained how to do port forwarding to access some machine behind private network. I will use this method to fix some issues in our desktop at home or my girlfriends computer. Now, of course I dont want to give them access to my server. But they also need to have a user in my server to be able to perform port forwarding via ssh. So I wanted to create a user with least privileges to make sure nothing goes wrong.</p>
<h2 id="the-solution">The solution</h2>
<p>I searched the problem in it turned out to be very simple. You just need to add two additional flags to <code class="language-plaintext highlighter-rouge">adduser</code> command while creating the user.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>adduser uselessuser <span class="nt">--shell</span><span class="o">=</span>/bin/false <span class="nt">--no-create-home</span>
</code></pre></div></div>
<p>Now, <code class="language-plaintext highlighter-rouge">uselessuser</code> cant do anything useful in your server. If they try to login, the connection will be closed immediately.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> ssh uselessuser@remote.host
uselessuser@remote.host<span class="se">\'</span>s password:
Could not chdir to home directory /home/uselessuser: No such file or directory
Connection to remote.host closed.
</code></pre></div></div>
<p>But they can still do forward the remote port to their local machine.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> ssh <span class="nt">-Nf</span> <span class="nt">-R</span> 7777:localhost:22 uselessuser@remote.host
uselessuser@remote.host<span class="se">\'</span>s password:
</code></pre></div></div>
<p>The <code class="language-plaintext highlighter-rouge">-N</code> option is the most important one here. From the documentation:</p>
<blockquote>
<div class="language-plaintext highlighter-rouge">
<div class="highlight"><pre class="highlight"><code> -N Do not execute a remote command. This is useful
for just forwarding ports. Refer to the description
of SessionType in ssh_config(5) for details.
</code></pre></div> </div>
</blockquote>
<h2 id="last-words">Last words</h2>
<p>I love learning new things everyday. I knew setting the shell of a user to <code class="language-plaintext highlighter-rouge">/bin/false</code> will prevent them from logging in. The reason I wrote this blog post is because 2 things I wanted to share:</p>
<ul>
<li>While looking for a solution to the problem I mentioned, I searched <em>“create a user with no privileges in linux”</em> and <a href="https://askubuntu.com/questions/1174376/how-to-create-a-user-with-the-least-privileges-permissions-but-enough-to-do-ssh">this</a> came out. It is really interesting for me that another person wanted to do the same thing for the <em>exact same reasons</em>. They were also trying port forwarding via ssh and they wanted to create a limited user in their server to give friends. So the question was a <strong>perfect fit</strong> to the problem.</li>
<li>The <code class="language-plaintext highlighter-rouge">-N</code> flag of the ssh command was also surprising for me. It was like as if someone had encountered these problems before and just took the exact steps required to solve this problem for me. I mean look at the documentation. Crazy!</li>
</ul>
</section>
<footer class="page__meta">
<p class="page__date"><strong><i class="fas fa-fw fa-calendar-alt" aria-hidden="true"></i> Updated:</strong> <time datetime="2022-02-27T13:40:00+00:00">February 27, 2022</time></p>
</footer>
<nav class="pagination">
<a href="/2022/02/26/ssh-into-machine-that-is-behind-private-network.html" class="pagination--pager" title="SSH into Machine That Is Behind a Private Network
">Previous</a>
<a href="/2022/03/03/never-get-trapped-in-grub-rescue-again.html" class="pagination--pager" title="Never Get Trapped in Grub Rescue Again!
">Next</a>
</nav>
</div>
</article>
<div class="page__related">
<h4 class="page__related-title">You May Also Enjoy</h4>
<div class="grid__wrapper">
<div class="grid__item">
<article class="archive__item" itemscope itemtype="https://schema.org/CreativeWork">
<h2 class="archive__item-title no_toc" itemprop="headline">
<a href="/2023/01/15/hot-reloading-with-trap-and-kill.html" rel="permalink">Hot-Reload Long Running Shell Scripts (feat. trap / kill)
</a>
</h2>
<p class="page__meta">
<span class="page__meta-date">
<i class="far fa-fw fa-calendar-alt" aria-hidden="true"></i>
<time datetime="2023-01-15T21:48:08+00:00">January 15, 2023</time>
</span>
<span class="page__meta-sep"></span>
<span class="page__meta-readtime">
<i class="far fa-fw fa-clock" aria-hidden="true"></i>
5 minute read
</span>
</p>
<p class="archive__item-excerpt" itemprop="description">trap them and kill them!
There is a beautiful command in Linux called trap which traps signals and let you run specific commands when they invoked. There is ...</p>
</article>
</div>
<div class="grid__item">
<article class="archive__item" itemscope itemtype="https://schema.org/CreativeWork">
<h2 class="archive__item-title no_toc" itemprop="headline">
<a href="/2022/12/29/recap-of-2022.html" rel="permalink">Recap of 2022
</a>
</h2>
<p class="page__meta">
<span class="page__meta-date">
<i class="far fa-fw fa-calendar-alt" aria-hidden="true"></i>
<time datetime="2022-12-29T20:22:08+00:00">December 29, 2022</time>
</span>
<span class="page__meta-sep"></span>
<span class="page__meta-readtime">
<i class="far fa-fw fa-clock" aria-hidden="true"></i>
1 minute read
</span>
</p>
<p class="archive__item-excerpt" itemprop="description">Its been a while… It has been so long that I forgot how I was writing my blogs back then. My life didnt change that much. Actually, it is getting worse.
</p>
</article>
</div>
<div class="grid__item">
<article class="archive__item" itemscope itemtype="https://schema.org/CreativeWork">
<h2 class="archive__item-title no_toc" itemprop="headline">
<a href="/2022/06/22/rant-on-peoples-reaction-to-copilot.html" rel="permalink">Rant: Stop whatever you are doing and learn how licenses work
</a>
</h2>
<p class="page__meta">
<span class="page__meta-date">
<i class="far fa-fw fa-calendar-alt" aria-hidden="true"></i>
<time datetime="2022-06-22T07:46:00+00:00">June 22, 2022</time>
</span>
<span class="page__meta-sep"></span>
<span class="page__meta-readtime">
<i class="far fa-fw fa-clock" aria-hidden="true"></i>
2 minute read
</span>
</p>
<p class="archive__item-excerpt" itemprop="description">Recently, Github announced
that they are making Github Copilot available for everyone. Previously, it was in Beta and you could get it through the waiting l...</p>
</article>
</div>
<div class="grid__item">
<article class="archive__item" itemscope itemtype="https://schema.org/CreativeWork">
<h2 class="archive__item-title no_toc" itemprop="headline">
<a href="/2022/04/08/confession-time.html" rel="permalink">Confession Time
</a>
</h2>
<p class="page__meta">
<span class="page__meta-date">
<i class="far fa-fw fa-calendar-alt" aria-hidden="true"></i>
<time datetime="2022-04-08T15:46:00+00:00">April 8, 2022</time>
</span>
<span class="page__meta-sep"></span>
<span class="page__meta-readtime">
<i class="far fa-fw fa-clock" aria-hidden="true"></i>
2 minute read
</span>
</p>
<p class="archive__item-excerpt" itemprop="description">A failure story
Last week, I received an email from Lets Encrypt reminding me to renew my certificates. I forgot to renew it and the certificate expired. No...</p>
</article>
</div>
</div>
</div>
</div>
</div>
<div class="search-content">
<div class="search-content__inner-wrap">
<form class="search-content__form" onkeydown="return event.key != 'Enter';">
<label class="sr-only" for="search">
Enter your search term...
</label>
<input type="search" id="search" class="search-input" tabindex="-1" placeholder="Enter your search term...">
</form>
<div id="results" class="results"></div>
</div>
</div>
<div id="footer" class="page__footer">
<footer>
<!-- start custom footer snippets -->
<!-- end custom footer snippets -->
<div class="page__footer-follow">
<ul class="social-icons">
<li><a href="/feed.xml"><i class="fas fa-fw fa-rss-square" aria-hidden="true"></i> Feed</a></li>
</ul>
</div>
<div class="page__footer-copyright">© 2023 Şahin Akkaya's Personal Page. Powered by <a href="https://jekyllrb.com" rel="nofollow">Jekyll</a> &amp; <a href="https://mademistakes.com/work/minimal-mistakes-jekyll-theme/" rel="nofollow">Minimal Mistakes</a>.</div>
<div class="page__footer-copyright">
Check out the <a href="https://github.com/Asocia/sahinakkayadotdev">code</a> of this site.
</div>
</footer>
</div>
<script src="/assets/js/main.min.js"></script>
<script src="/assets/js/lunr/lunr.min.js"></script>
<script src="/assets/js/lunr/lunr-store.js"></script>
<script src="/assets/js/lunr/lunr-en.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink