Allowing ssh straight to the shell



  • I had my DD-WRT router set up so that I could ssh to it. When the connection was made, I ended up in the router's shell. On my pfSense box I get the text-interface menu, where the shell is an option. This means that I cannot reach the shell directly, which I would like to do, in order to tunnel ports to other hosts on the network.

    Is there a way to configure pfSense to have ssh connect to the shell and perhaps launch the menu through a shell command?



  • This is what I do for directly running tcpdump through ssh.  Though it's not what you are attempting maybe it could spark some ideas.

    
    "C:\Program Files\PuTTY\plink.exe" -ssh -pw password root@pfSense.localdomain tcpdump -p -n -nn -s 0 -U -w - -i bfe0 not port 22 and src or dst 192.168.2.1 | "C:\Program Files\Wireshark\wireshark.exe" -i - -k
    
    

    or replace password with i option and key file

    
    "C:\Program Files\PuTTY\plink.exe" -ssh -i "C:\Program Files (x86)\WinSCP\Keys\pfSense\id_rsa_4096_SSH_Private_Key.ppk" root@pfSense.localdomain tcpdump -p -n -nn -s 0 -U -w - -i bfe0 not port 22 and src or dst 192.168.2.1 | "C:\Program Files\Wireshark\wireshark.exe" -i - -k
    
    


  • What exactly does that accomplish?

    By the way, I am on a Mac and have Terminal instead of Putty.


  • Rebel Alliance Global Moderator

    if you login with a different user than root/admin, you will not get the menu and just the shell..

    So see if I login with root or admin you get the menu your talking about.  I created a johnpoz account, using the same public key for auth.  And boom your straight into the shell.




  • @DominikHoffmann:

    What exactly does that accomplish?

    By the way, I am on a Mac and have Terminal instead of Putty.

    It starts tcpdump on pfSense and streams it to local Wireshark for live capture.

    I have several "canned" commands for common stuff.  Similar capability is under development for inclusion in Wireshark.  Then the external ssh command won't be needed anymore.  That will be really nice.

    Netcat can be used instead of plink.  Some people do that.  But since I'm using PuTTY/WinSCP plink is already on the system.  So I make use of that.

    What John said is probably what you are looking for.  My guess is that the account he created just has a different shell assigned to it than what the root account has.  Have not verified though so could be completely wrong about what is going on with that.

    Or maybe the root account just runs some scripts at login time.



  • Going with a separate user ID is just fine for my application.

    Thanks to you both!


  • Rebel Alliance Global Moderator

    "Thanks to you both!"

    You sure about that??  Seems NOYB got the thank you for his post, which didn't answer your question.  But I posted up screenshots showing you that it works, and yet I get bumpkis - heheh.. atleast it seems you didn't smite me.. ROFL!!!



  • I haven’t used this forum much, and haven’t used this forum format elsewhere and therefore didn’t realize that one can hand out only one Thanks per thread started.


  • Rebel Alliance Global Moderator

    You can remove his ;)  And give it to the person who actually helped you ;)



  • If I'm not mistaken, this is determined by /root/.shrc which, when it detects root login, runs /etc/rc.initial.

    It shouldn't be too hard to modify .shrc to not run the shell.



  • Setting up a separate user does the trick for me. It also adds another layer of protection against brute-force attacks, although I have shutdown password login.