Hi, due to our security policy we can not provide our users with telnet/ftp but with ssh/sftp to do their stuff on our servers. Now the question arose wether it would be possible to only allow sftp-connections _without_ shell access. I tried to set the users' shells to /bin/noshell, where noshell is a tiny script echoing that shell access to the account is not allowed, but this does not work, possibly due to the fact that sftp connections are tunneled over ssh and therefore need some kind of shell to work properly... Thanks for any information. Boris Lorenz <bolo@lupa.de> ---
* bolo@lupa.de wrote on Tue, Jul 18, 2000 at 17:42 +0200:
due to our security policy we can not provide our users with telnet/ftp but with ssh/sftp to do their stuff on our servers. Now the question arose wether it would be possible to only allow sftp-connections _without_ shell access. I
(If I understand you correctly). It may help you to use RSA key authentication via .ssh/authorized_keys and a wrapper (command="..."). This command become executed when connecting with ssh, even if a command was specified at the client's command line. Here you could do the required actions, or verify the command and execute it under some condition only. man sshd /command= oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
* bolo@lupa.de wrote on Tue, Jul 18, 2000 at 17:42 +0200:
due to our security policy we can not provide our users with telnet/ftp but with ssh/sftp to do their stuff on our servers. Now the question arose wether it would be possible to only allow sftp-connections _without_ shell access. I
(If I understand you correctly).
It may help you to use RSA key authentication via .ssh/authorized_keys and a wrapper (command="..."). This command become executed when connecting with ssh, even if a command was specified at the client's command line. Here you could do the required actions, or verify the command and execute it under some condition only.
man sshd /command=
oki,
Steffen
The manpage is somewhat imprecise in this matter. The term `shell' should read `interactive shell'. It's a shell's task to look for executables in the system if the executable is called without a slash in the first word of the commandline. This is why sshd starts the login shell, gained from the seventh field of the respective line in /etc/passwd, and leaves this problem up to the shell. Other approaches might impose security risks. Btw, while we're at it: This (login-) shell sources ~/.ssh/config (plus the system-wide one) _without_ creating a new context/subshell (!). What you could do is the following: Try to set the user's login shell to the sftp client program's path. Another option: Set the login shell to a script which contains `exec /path/to/sftp-client options'. If you consider trying either method, you should be aware of what this client is capable of. You may end up having some escape or site exec possibilities. Thanks, Roman Drahtmüller. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
participants (3)
-
bolo@lupa.de -
Roman Drahtmueller -
Steffen Dettmer