Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
Re: [suse-security] sftp without without a valid shell?
- From: Boris Lorenz <bolo@xxxxxxx>
- Date: Thu, 08 Nov 2001 18:06:43 +0100 (CET)
- Message-id: <XFMail.011108180643.bolo@xxxxxxx>
Yup,
On 07-Nov-01 Teodor Cimpoesu wrote:
> Hi Boris!
> On Wed, 07 Nov 2001, Boris Lorenz wrote:
>
>> Hi,
>>
>> On 06-Nov-01 Teodor Cimpoesu wrote:
>> > Hi Andreas!
>> > On Tue, 06 Nov 2001, Andreas Rittershofer wrote:
>> >
>> >> On 6 Nov 01, at 10:39, Thorsten Marquardt wrote:
>> >>
>> >> > I like to offer some customers a kind off sftp account but to deny any
>> >> > login to this accounts. So I thought about having /bin/false as shell
>> >> > in
>> >> > /etc/passwd but this prevents sftp to. What can I do?
>> > put /bin/false in /etc/shells and set /bin/false as shell [discl: not
>> > tested]
>>
>> this works with ftp, but not with sftp, which is part of the ssh package.
>>
>> I've gone thru all the options two years ago... /bin/false, /bin/noshell, my
>> own
>> (perl-)shells, to no avail. Only ssh-dummy-shell does the trick.
>>
>> If there's an alternative to it, I would be happy to learn.
>>
> [another not tested rant :)]
> maybe:
> auth required /lib/security/pam_shells.so
> instead of:
> auth required /lib/security/pam_nologin.so
> in /etc/pam.d/sshd?
yeah, the PAM thing... Trouble is I *LOATHE* PAM... Don't know why. Maybe I
suck at it ;)
I still use ssh-dummy-shell. Works cleanly.
However, thanks to teo and Kurt for the tips. I will visit some sites and think
about it.
> -- teodor
Boris Lorenz <bolo@xxxxxxx>
---
On 07-Nov-01 Teodor Cimpoesu wrote:
> Hi Boris!
> On Wed, 07 Nov 2001, Boris Lorenz wrote:
>
>> Hi,
>>
>> On 06-Nov-01 Teodor Cimpoesu wrote:
>> > Hi Andreas!
>> > On Tue, 06 Nov 2001, Andreas Rittershofer wrote:
>> >
>> >> On 6 Nov 01, at 10:39, Thorsten Marquardt wrote:
>> >>
>> >> > I like to offer some customers a kind off sftp account but to deny any
>> >> > login to this accounts. So I thought about having /bin/false as shell
>> >> > in
>> >> > /etc/passwd but this prevents sftp to. What can I do?
>> > put /bin/false in /etc/shells and set /bin/false as shell [discl: not
>> > tested]
>>
>> this works with ftp, but not with sftp, which is part of the ssh package.
>>
>> I've gone thru all the options two years ago... /bin/false, /bin/noshell, my
>> own
>> (perl-)shells, to no avail. Only ssh-dummy-shell does the trick.
>>
>> If there's an alternative to it, I would be happy to learn.
>>
> [another not tested rant :)]
> maybe:
> auth required /lib/security/pam_shells.so
> instead of:
> auth required /lib/security/pam_nologin.so
> in /etc/pam.d/sshd?
yeah, the PAM thing... Trouble is I *LOATHE* PAM... Don't know why. Maybe I
suck at it ;)
I still use ssh-dummy-shell. Works cleanly.
However, thanks to teo and Kurt for the tips. I will visit some sites and think
about it.
> -- teodor
Boris Lorenz <bolo@xxxxxxx>
---
| < Previous | Next > |