You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by Haripada Bhowmick <ha...@gmail.com> on 2014/07/18 14:51:57 UTC
Security Question
Team,
I want to setup Apache SSHD Server in my Linux box . Few of my clients will
be using SSH Tunnel using my Linux BOX.
My aim is to ENABLE port forwarding ONLY , for those users. At any cost
I don't want them to execute any command to hack my server.
In order to do that I set
*sshd.setShellFactory(null);*
* sshd.setCommandFactory(null); *
Now using following code I can do SSH tunnel..But I can not use PUTTY to
execute any command as expected. It looks good and full proof to me .
*Can you please tell : *
*Is there any security whole which is going unattended and hacker can take
control of my server. Because I will provide Apache SSHD user id password
to various people.*
Thank you
Harry
========================= CODE ======================
public class sshServer {
public static SshServer sshd = null;
public static SessionFactory sessFactory = null;
// public static ProcessShellFactory shell = null;
public static void main(String[] args) throws InterruptedException,
IOException {
SshServer sshd = SshServer.setUpDefaultServer();
sshd.setPort(22);
sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider(
"hostkey.ser"));
/*
* sshd.setShellFactory(new ProcessShellFactory(new String[] {
* "/bin/sh", "-i", "-l" }));
*/
/*
* sshd.setShellFactory(new ProcessShellFactory( new String[] {
* "cmd.exe " }, EnumSet.of( ProcessShellFactory.TtyOptions.Echo,
* ProcessShellFactory.TtyOptions.ICrNl,
* ProcessShellFactory.TtyOptions.ONlCr)));
*/
// ## ########################### *IMPORTANT*: DISABLE IT -
// ###
sshd.setShellFactory(null);
sshd.setCommandFactory(null);
// ## ################ DISABLE IT --
sshd.setTcpipForwardingFilter(new ForwardingFilter() {
public boolean canForwardAgent(Session session) {
return false;
}
public boolean canForwardX11(Session session) {
return false;
}
public boolean canListen(SshdSocketAddress address, Session session) {
return false;
}
public boolean canConnect(SshdSocketAddress address, Session session) {
return true;
}
});
sshd.setPasswordAuthenticator(new PasswordAuthenticator() {
@Override
public boolean *authenticate*(String usr, String pss,
ServerSession arg2) {
if (usr.equals("*specialuser*") && pss.equals("*specialpass*"))
return true;
return false;
}
});
sshd.start();
}
===========================================================