Adding Shell Users
[This modification has been verified to work with Smoothwall Express 2.0.]
This page will show you how to create additional user accounts for logging into
Smoothwall's shell interface.
Background:
Smoothwall has two user accounts which can be used for logging into the console
or via SSH, namely root and setup.
However, you may have a need for additional users to login to Smoothwall's shell
(ie, for tunnelling things over SSH), and you probably
don't want to give the root password to anyone else.
Instead, using the information on this page, you can now create additional non-root
shell accounts for those users.
Note giving people a logon account onto your firewall isn't particularly desirable.
If possible, I'd suggest using an SSH server behind your Smoothwall,
or using a VPN.
Requirements:
You'll need:
-
A Smoothwall Express 2.0 installation (obviously...).
-
A way of getting a command-line prompt on your Smoothwall box
(either by logging directly onto your Smoothwall box,
using a SSH client such as
PuTTY
or SSH Secure Shell,
or via the Smoothwall web interface).
Creating an Account:
Ensure you have SSH enabled on your Smoothwall (it's configured on the
"remote access" page. This is required logging into your Smoothwall with SSH.
Login to your Smoothwall box via SSH as root.
The instructions below detail the steps required to create a user account
called testuser. Replace this username with
whatever you want to call your user account.
Edit /etc/passwd and add a new line to the end:
testuser:x:103:103:test user:/:
Each field is separated by a ":" character,
and the fifth field is just a description for your new user account.
Note that the repeated number on this line (third and fourth fields) indicates the
user ID of the new user, and must be unique
(ie, not used by any other user account in /etc/passwd).
Edit /etc/group and add a new line to the end:
testuser:x:103:
Note that the number specified on this line must match the number you specified earlier
in /etc/passwd.
Edit /etc/shadow and add a new line to the end:
testuser::0:0:99999:7:::
Depending on how you are editing /etc/shadow, you may need to
adjust the file permissions before you can edit it. For example, if
using vi to edit the file,
there's no need to adjust the file permissions, as you can save read-only files
using ":w!".
If required, relax the file permission on /etc/shadow using:
chmod 600 /etc/shadow
Once you've made the changes to /etc/shadow, be sure to reset
the file permissions:
chmod 400 /etc/shadow
Now that you've created a user account, you need to set a password for your new account:
passwd testuser
and you'll be prompted to enter a password for that account.
Restricting Access:
Any user created as specified above will have limited shell access on your Smoothwall.
If this isn't desirable, and shell access isn't required, but the SSH connection
(ie, for tunnelling things over SSH) is all that's required,
you can limit the user's access by not even giving them a shell.
Edit /etc/passwd and change the very last field for your new
user account to use something other than a shell:
testuser:x:103:103:test user:/:/bin/cat
The above line is specifying /bin/cat as the user's shell.
This simply means when the user logs in, they'll be presented with a running instance
of /bin/cat, which is harmless, and will simply echo
anything that is typed.
You can specify any binary instead of a shell, but it must be a binary that will
not terminate immediately, as that will cause the SSH session to terminate.
Hitting ^C or ^D
will terminate the user's SSH session.
References:
Files Controlling User Accounts and Groups
last updated 3 Nov 2004
|
|
