Restrict usage of ssh-keypair
Hi List. I have a issue concerning the usage of an ssh keypair. With that keypair it should only be possible to: 1.) scp, if possible restrict it to a specifiy directory 2.) ssh -R ... Any ideas how to do that? thanks / greets Michael -- GiS - Gesellschaft fuer integrierte Systemplanung mbH +==================================================================+ Michael Scherer mscherer@gis-systemhaus.de Tel: 06201-503-74 Junkersstr.2 69469 Weinheim Fax: 06201-503-66 +==================================================================+ It's a book about a Spanish guy called Manual, you should read it. -- Dilbert
Hi Michael, What about making a separate user for that purpose and put him in a "rootjail" or restricted shell? Cheers Eduard --- Michael 'bukhem' Scherer <mscherer@gis-systemhaus.de> wrote:
Hi List.
I have a issue concerning the usage of an ssh keypair. With that keypair it should only be possible to:
1.) scp, if possible restrict it to a specifiy directory 2.) ssh -R ...
Any ideas how to do that?
thanks / greets
Michael
-- GiS - Gesellschaft fuer integrierte Systemplanung mbH
+==================================================================+
Michael Scherer mscherer@gis-systemhaus.de Tel: 06201-503-74 Junkersstr.2 69469 Weinheim Fax: 06201-503-66
+==================================================================+
It's a book about a Spanish guy called Manual, you should read it. -- Dilbert
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
Michael 'bukhem' Scherer wrote:
Hi List.
I have a issue concerning the usage of an ssh keypair. With that keypair it should only be possible to:
1.) scp, if possible restrict it to a specifiy directory 2.) ssh -R ...
Any ideas how to do that?
thanks / greets
Michael
See man 8 sshd. I thing that the best choice would be the parameter no-pty in authorized_keys file. It will disallow to set up the terminal session. VlAdImIr DvOrAk, SuSE CR network administrator
On Mon, 30 Jun 2003, Vladimir Dvorak wrote:
See man 8 sshd. I thing that the best choice would be the parameter no-pty in authorized_keys file. It will disallow to set up the terminal session.
Too easy but that did the job. Thanks. Michael -- GiS - Gesellschaft fuer integrierte Systemplanung mbH +==================================================================+ Michael Scherer mscherer@gis-systemhaus.de Tel: 06201-503-74 Junkersstr.2 69469 Weinheim Fax: 06201-503-66 +==================================================================+ It's a book about a Spanish guy called Manual, you should read it. -- Dilbert
On Mon, Jun 30, 2003 at 03:23:54PM +0200, Michael 'bukhem' Scherer wrote:
On Mon, 30 Jun 2003, Vladimir Dvorak wrote:
See man 8 sshd. I thing that the best choice would be the parameter no-pty in authorized_keys file. It will disallow to set up the terminal session.
Too easy but that did the job.
I think it really is _too_ easy. if you don't have a tty, you won't get the bash prompt. but that is about all there is to it. you still can do what ever bash can do. sorry. you have to be much more restrictive in the authorized_keys file, possibly forcing certain commands. which could parse $SSH_ORIGINAL_COMMAND for additional info ... Lars Ellenberg
participants (4)
-
Eduard Avetisyan -
Lars Ellenberg -
Michael 'bukhem' Scherer -
Vladimir Dvorak