Hi,
due to our security policy we can not provide our users with telnet/ftp but
with ssh/sftp to do their stuff on our servers. Now the question arose wether
it would be possible to only allow sftp-connections _without_ shell access. I
tried to set the users' shells to /bin/noshell, where noshell is a tiny script
echoing that shell access to the account is not allowed, but this does not
work, possibly due to the fact that sftp connections are tunneled over ssh and
therefore need some kind of shell to work properly...
Thanks for any information.
Boris Lorenz
* bolo@lupa.de wrote on Tue, Jul 18, 2000 at 17:42 +0200:
due to our security policy we can not provide our users with telnet/ftp but with ssh/sftp to do their stuff on our servers. Now the question arose wether it would be possible to only allow sftp-connections _without_ shell access. I
(If I understand you correctly). It may help you to use RSA key authentication via .ssh/authorized_keys and a wrapper (command="..."). This command become executed when connecting with ssh, even if a command was specified at the client's command line. Here you could do the required actions, or verify the command and execute it under some condition only. man sshd /command= oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
* bolo@lupa.de wrote on Tue, Jul 18, 2000 at 17:42 +0200:
due to our security policy we can not provide our users with telnet/ftp but with ssh/sftp to do their stuff on our servers. Now the question arose wether it would be possible to only allow sftp-connections _without_ shell access. I
(If I understand you correctly).
It may help you to use RSA key authentication via .ssh/authorized_keys and a wrapper (command="..."). This command become executed when connecting with ssh, even if a command was specified at the client's command line. Here you could do the required actions, or verify the command and execute it under some condition only.
man sshd /command=
oki,
Steffen
The manpage is somewhat imprecise in this matter. The term `shell' should
read `interactive shell'.
It's a shell's task to look for executables in the system if the
executable is called without a slash in the first word of the commandline.
This is why sshd starts the login shell, gained from the seventh field of
the respective line in /etc/passwd, and leaves this problem up to the
shell. Other approaches might impose security risks.
Btw, while we're at it: This (login-) shell sources ~/.ssh/config (plus
the system-wide one) _without_ creating a new context/subshell (!).
What you could do is the following: Try to set the user's login shell to
the sftp client program's path. Another option: Set the login shell to a
script which contains `exec /path/to/sftp-client options'.
If you consider trying either method, you should be aware of what this
client is capable of. You may end up having some escape or site exec
possibilities.
Thanks,
Roman Drahtmüller.
--
- -
| Roman Drahtmüller
participants (3)
-
bolo@lupa.de
-
Roman Drahtmueller
-
Steffen Dettmer