Ssh – No shell and launch application on login

bashopenvmssshunix-shell

I am working on migrating an application from OpenVMS to RedHat Linux 6. The application is a green screen terminal application. The users will log into Linux via SSH and the application should automatically start but they should never have access to the shell. Once the application closes or crashes it should automatically log them out. What is the best way to approach this?

I've tried creating a new user with the following command.

useradd -s /sbin/nologin test

I then added ftp & to the users .bash_profile in the hope it would open the ftp console immediately and then once they quit it would log them out. However upon authentication on SSH the session is killed. Any ideas?

Best Answer

The "green screen" application I've supported for the past 12 years accomplishes this via a modified .bash_profile and a wrapper script to start the application.

After the systems are built and service users created, we modify the default .bash_profile in the /etc/skel directory. This ensures that new users created on the system pick up the login settings.

Let's call the application "peach"

Inside the .bash_profile,

# Source any peach-specific variables
. /etc/default/peach

# Set up the search paths:
        PATH=$PATH:.

# Set up the shell environment:
        set +u
        trap "echo 'logout'" 0

# Run the peach application or start script:
        /opt/peach/bin/run-peach

The actual "run-peach" wrapper script will look like:

#!/bin/bash

set -e

<blah blah> # do stuff, set MOAR variables
/opt/peach/bin/peach # run application binary

The set -e and trap are important here.

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Linux Bash – Where is $BASH_ENV Usually Set?

BASH_ENV is only going to be set via the environment, or another script that is sourced during initialization. For a non-interactive shell, it will only be trying to source additional files if that shell is also a login shell. (in which case it'll read ~/.bash_profile, ~/.bash_login, and ~/.profile...but if it was doing that, you wouldn't be experiencing an issue)

The first place to look is the environment in which the subshell is being invoked.

An exported BASH_ENV variable will be passed through. Keep in mind that this may be buried in a sourced file.
It can be fed in as a parameter on the same line calling the script, i.e. BASH_ENV=blah /path/to/somecommand.sh. This stands out like a sore thumb so you probably would have caught it.

If it's being set after you log in but you can't figure out where, you may need to look at what is responsible for constructing the login environment.

All of the usual files that get sourced by a login shell. man bash for the exhaustive list.
PAM: As freiheit suggested in the comments, check /etc/security/pam_env.conf, and any additional files that are referenced by pam_env.so. Other PAM modules could also be responsible, but if your PAM configs look identical this is probably not the case.
sshd: It will scan the following files, in order:
- ~/.ssh/environment (before changing to the home directory; only if PermitUserEnvironment is enabled in sshd_config)
- ~/.ssh/rc (after changing to the home directory; always)
- /etc/ssh/sshrc (if ~/.ssh/rc is not present)

Note: sshd will also scan for environment=value lines in the user's authorized keys file (if PermitUserEnvironment is enabled), but it is not clear from the man page where that step falls in the above sequence.

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

Linux Bash – Where is $BASH_ENV Usually Set?

Related Topic