Hi, I tried to use rbash to restrict a users capabilities but need to allow filetransfer (sftp). Unfortunatly the sftp-session is termianated immediately. Is there a chance to enable this combination? Thanks Thom -- ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
Hi !
I tried to use rbash to restrict a users capabilities but need to allow filetransfer (sftp). Unfortunatly the sftp-session is termianated immediately. Is there a chance to enable this combination?
Just a hint: If you login with ssh, does rbash print a special message before showing you the prompt ? This may be a problem for sftp. I have never done this with rbash but had such a problem with normal bash shell. HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
* Thorsten Marquardt wrote on Thu, Jan 30, 2003 at 14:45 +0000:
I tried to use rbash to restrict a users capabilities but need to allow filetransfer (sftp). Unfortunatly the sftp-session is termianated immediately. Is there a chance to enable this combination?
Surely, IIRC sftp-server has some special shell (a minimal, non-interactive shell). Maybe /etc/shells is checked or such for security reasons. Maybe it has nothing to do with rbash? Did you tested it with a standard shell? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hallo Steffen, Am 30.01.03 schriebst Du:
* Thorsten Marquardt wrote on Thu, Jan 30, 2003 at 14:45 +0000:
I tried to use rbash to restrict a users capabilities but need to allow filetransfer (sftp). Unfortunatly the sftp-session is termianated immediately. Is there a chance to enable this combination?
Surely, IIRC sftp-server has some special shell (a minimal, non-interactive shell). Maybe /etc/shells is checked or such for security reasons. Maybe it has nothing to do with rbash? Did you tested it with a standard shell?
is bash standard enough? Yes it works fine with bash. But I fear I have not been precise enough. So to clear things. I want to have rbash (or a similar one) as customers login shell on our web-server. Remote users should be able to do at least sftp to the server. But if rbash is the login shell the sftp session is terminated immediatly. As workaround I installed a .profile in the user $HOME wich does nothing but: #!/bin/sh # # ftponly shell # trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15 # IFS="" Admin=theguruhimself@I-am.still-dreaming.tld System=`/bin/hostname`@`/bin/dnsdomainname` # /bin/echo /bin/echo "********************************************************************" /bin/echo " You are NOT allowed interactive access to $System." /bin/echo /bin/echo " Direct questions concerning this policy to $Admin." /bin/echo "********************************************************************" /bin/echo # # exit 0 Thanks Thom
On Thu, 2003-01-30 at 22:41, Thorsten Marquardt wrote:
I want to have rbash (or a similar one) as customers login shell on our web-server. Remote users should be able to do at least sftp to the server. But if rbash is the login shell the sftp session is terminated immediatly.
Hello there, Have you tried scponly for remote users shell ??? scponly, as the name says, only allows your users to do SCP, i think that allows also sftp, and removes from them any execution privileges... check it out, i think it will help you: http://www.sublimation.org/scponly/ hope this help /valter -- ---..---..---..---..---..---..---..---..---..---..---..---..---- Valter Santos vsantola@devfusion.net ||| http://devfusion.net/~vsantola/keys/ (@ @) ------------------------------------------oOO--(_)--OOo---------
Hi, thanks to all of you. I got some very usefull hints and I switched from rbash to rssh (sftpsh in my case) http://www.pizzashack.org/rssh/index.shtml and it works fine (so far). Thom -- ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
participants (5)
-
Armin Schoech -
Steffen Dettmer -
Thorsten Marquardt -
Thorsten Marquardt
-
Valter Santos