Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
Re: [suse-security] sftp without without a valid shell?
- From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
- Date: Wed, 7 Nov 2001 14:23:24 -0700
- Message-id: <001101c167d2$6ed795e0$6400030a@xxxxxxxxxxxx>
For pam stuff:
http://www.samag.com/documents/s=1161/sam0009a/0009a.htm
you can easily set it up so that a user cannot log in via ftp/etc, but sftp
is PART of ssh, so it greatly complicates things. Simply limit them to 1
process or something and they won't be able to fire up a shell.
Kurt Seifried, kurt@xxxxxxxxxxxx
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/
----- Original Message -----
From: "Teodor Cimpoesu" <teo@xxxxxxxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Wednesday, November 07, 2001 2:00 PM
Subject: Re: [suse-security] sftp without without a valid shell?
> Hi Boris!
> On Wed, 07 Nov 2001, Boris Lorenz wrote:
>
> > Hi,
> >
> > On 06-Nov-01 Teodor Cimpoesu wrote:
> > > Hi Andreas!
> > > On Tue, 06 Nov 2001, Andreas Rittershofer wrote:
> > >
> > >> On 6 Nov 01, at 10:39, Thorsten Marquardt wrote:
> > >>
> > >> > I like to offer some customers a kind off sftp account but to deny
any
> > >> > login to this accounts. So I thought about having /bin/false as
shell in
> > >> > /etc/passwd but this prevents sftp to. What can I do?
> > > put /bin/false in /etc/shells and set /bin/false as shell [discl: not
tested]
> >
> > this works with ftp, but not with sftp, which is part of the ssh
package.
> >
> > I've gone thru all the options two years ago... /bin/false,
/bin/noshell, my own
> > (perl-)shells, to no avail. Only ssh-dummy-shell does the trick.
> >
> > If there's an alternative to it, I would be happy to learn.
> >
> [another not tested rant :)]
> maybe:
> auth required /lib/security/pam_shells.so
> instead of:
> auth required /lib/security/pam_nologin.so
> in /etc/pam.d/sshd?
>
>
> -- teodor
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
http://www.samag.com/documents/s=1161/sam0009a/0009a.htm
you can easily set it up so that a user cannot log in via ftp/etc, but sftp
is PART of ssh, so it greatly complicates things. Simply limit them to 1
process or something and they won't be able to fire up a shell.
Kurt Seifried, kurt@xxxxxxxxxxxx
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/
----- Original Message -----
From: "Teodor Cimpoesu" <teo@xxxxxxxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Wednesday, November 07, 2001 2:00 PM
Subject: Re: [suse-security] sftp without without a valid shell?
> Hi Boris!
> On Wed, 07 Nov 2001, Boris Lorenz wrote:
>
> > Hi,
> >
> > On 06-Nov-01 Teodor Cimpoesu wrote:
> > > Hi Andreas!
> > > On Tue, 06 Nov 2001, Andreas Rittershofer wrote:
> > >
> > >> On 6 Nov 01, at 10:39, Thorsten Marquardt wrote:
> > >>
> > >> > I like to offer some customers a kind off sftp account but to deny
any
> > >> > login to this accounts. So I thought about having /bin/false as
shell in
> > >> > /etc/passwd but this prevents sftp to. What can I do?
> > > put /bin/false in /etc/shells and set /bin/false as shell [discl: not
tested]
> >
> > this works with ftp, but not with sftp, which is part of the ssh
package.
> >
> > I've gone thru all the options two years ago... /bin/false,
/bin/noshell, my own
> > (perl-)shells, to no avail. Only ssh-dummy-shell does the trick.
> >
> > If there's an alternative to it, I would be happy to learn.
> >
> [another not tested rant :)]
> maybe:
> auth required /lib/security/pam_shells.so
> instead of:
> auth required /lib/security/pam_nologin.so
> in /etc/pam.d/sshd?
>
>
> -- teodor
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
| < Previous | Next > |