Mailinglist Archive: opensuse-security (260 mails)

< Previous Next >
Re: [suse-security] SFTP without SSH
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Wed, 19 Jul 2000 14:46:45 +0200 (MEST)
  • Message-id: <Pine.LNX.4.21.0007191431250.15755-100000@xxxxxxxxxxxx>
> * bolo@xxxxxxx wrote on Tue, Jul 18, 2000 at 17:42 +0200:
> > due to our security policy we can not provide our users with telnet/ftp but
> > with ssh/sftp to do their stuff on our servers. Now the question arose wether
> > it would be possible to only allow sftp-connections _without_ shell access. I
>
> (If I understand you correctly).
>
> It may help you to use RSA key authentication via
> .ssh/authorized_keys and a wrapper (command="..."). This command
> become executed when connecting with ssh, even if a command was
> specified at the client's command line. Here you could do the
> required actions, or verify the command and execute it under some
> condition only.
>
> man sshd /command=
>
> oki,
>
> Steffen


The manpage is somewhat imprecise in this matter. The term `shell' should
read `interactive shell'.

It's a shell's task to look for executables in the system if the
executable is called without a slash in the first word of the commandline.
This is why sshd starts the login shell, gained from the seventh field of
the respective line in /etc/passwd, and leaves this problem up to the
shell. Other approaches might impose security risks.
Btw, while we're at it: This (login-) shell sources ~/.ssh/config (plus
the system-wide one) _without_ creating a new context/subshell (!).

What you could do is the following: Try to set the user's login shell to
the sftp client program's path. Another option: Set the login shell to a
script which contains `exec /path/to/sftp-client options'.

If you consider trying either method, you should be aware of what this
client is capable of. You may end up having some escape or site exec
possibilities.

Thanks,
Roman Drahtmüller.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> "Caution: Cape does not |
SuSE GmbH - Security enable user to fly."
| Nürnberg, Germany (Batman Costume warning label) |
- -



< Previous Next >
References