Are there any straightforward guides to setting up an SSH “jump server” for an old system? Let’s say I have a VAX VMS system I want to provide access to. People would ssh to cmhvax@mysite with a password I share, and each would produce a telnet connection to the VAX that they’d then have to log into with their real login and password. The past couple times I’ve looked into it, I got pretty lost in a forest of documentation… #retrocomputing#openvms
@eschaton There's a way to lock an SSH account into a specific shell - it's usually used for chrooted SFTP-only accounts. I can dig up how I did it, I expect you can change it to telnet in to the respective machine.
Chroot jailing it should mean that if someone manages to escape the sandbox, they shouldn't be able to do much as they won't have access to system binaries. In theory. No guarantee.
@philpem Hmm, a shell that does a chroot (and traps INT/HUP/QUIT might be useful. Right now I just have a user with /bin/sh as their shell and this as their .profile to prevent breaking out:
trap "" 1 2 3
telnet -E vax-ip-address
exit
This still has a tiny race, unless the shell actively fails upon a signal between sourcing .profile and executing its contents. Maybe I should just write a couple lines of C…
@eschaton What prevents you from creating accounts on your Unix box that have a shell script with the right telnet command as their shell? Am I missing something?
Add comment