Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
Re: [suse-security] sftp without without a valid shell?
- From: Teodor Cimpoesu <teo@xxxxxxxxxxxxxxxxx>
- Date: Wed, 7 Nov 2001 23:00:31 +0200
- Message-id: <20011107230031.A967@xxxxxxxxxxxxxxxxx>
Hi Boris!
On Wed, 07 Nov 2001, Boris Lorenz wrote:
> Hi,
>
> On 06-Nov-01 Teodor Cimpoesu wrote:
> > Hi Andreas!
> > On Tue, 06 Nov 2001, Andreas Rittershofer wrote:
> >
> >> On 6 Nov 01, at 10:39, Thorsten Marquardt wrote:
> >>
> >> > I like to offer some customers a kind off sftp account but to deny any
> >> > login to this accounts. So I thought about having /bin/false as shell in
> >> > /etc/passwd but this prevents sftp to. What can I do?
> > put /bin/false in /etc/shells and set /bin/false as shell [discl: not tested]
>
> this works with ftp, but not with sftp, which is part of the ssh package.
>
> I've gone thru all the options two years ago... /bin/false, /bin/noshell, my own
> (perl-)shells, to no avail. Only ssh-dummy-shell does the trick.
>
> If there's an alternative to it, I would be happy to learn.
>
[another not tested rant :)]
maybe:
auth required /lib/security/pam_shells.so
instead of:
auth required /lib/security/pam_nologin.so
in /etc/pam.d/sshd?
-- teodor
On Wed, 07 Nov 2001, Boris Lorenz wrote:
> Hi,
>
> On 06-Nov-01 Teodor Cimpoesu wrote:
> > Hi Andreas!
> > On Tue, 06 Nov 2001, Andreas Rittershofer wrote:
> >
> >> On 6 Nov 01, at 10:39, Thorsten Marquardt wrote:
> >>
> >> > I like to offer some customers a kind off sftp account but to deny any
> >> > login to this accounts. So I thought about having /bin/false as shell in
> >> > /etc/passwd but this prevents sftp to. What can I do?
> > put /bin/false in /etc/shells and set /bin/false as shell [discl: not tested]
>
> this works with ftp, but not with sftp, which is part of the ssh package.
>
> I've gone thru all the options two years ago... /bin/false, /bin/noshell, my own
> (perl-)shells, to no avail. Only ssh-dummy-shell does the trick.
>
> If there's an alternative to it, I would be happy to learn.
>
[another not tested rant :)]
maybe:
auth required /lib/security/pam_shells.so
instead of:
auth required /lib/security/pam_nologin.so
in /etc/pam.d/sshd?
-- teodor
| < Previous | Next > |