-----Original Message----- From: Sven 'Darkman' Michels [mailto:sven@darkman.de] Sent: Wednesday, January 28, 2004 8:39 AM To: suse-security@suse.com Subject: Re: [suse-security] sftp with no ssh login
Ben Yau wrote:
Another thing to try is put "logout" at the beginning of ~/.bash_login. Upon ssh login it will run the .bash_login and log them out.
On sftp, it
won't run ~/.bash_login so they can still sftp
ssh user@remote.sftp.server rm .bash_login
;)
Ruin my day .. go ahead :) I started thinking of another solution (along the lines of alias rm='logout') when I realized that a smart user could just sftp and put in a new ~/.bash_profile. Provided they were clever enough to figure out how you auto logged them out. What you could do is in /etc/profile have it read a list of valid users/uid from a root writable/world-readable file. THen in /etc/profile throw in some logic that if userid does not match the one reading the file then log them out. Then put users who you want to be able to ssh into the root owned file. Another idea to test out and more secure. GOod thinking Sven :) Off the subject here, but this reminds me of a time when this "big shot" consultant guy came in to consult with our team at my first job (I was a greenie sysadmin) and was showing me how to use sudo and made a list of denied commands. And i told him "isn't that a security hole?" and he said "how?". He had put all the shells in the denied comman so I copied /bin/bash to ~/mybash and then ran it under sudo. His jaw dropping was one of the funniest things I'd ever seen. (Don't want to be too hard on him though, he actually was a really GREAT guy and very fun to work with). So that's why you got to be really careful with your sudo configs :D and in this case the way you attempt to deny ssh and still allow sftp. Ben Yau