Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
RE: [suse-security] sftp without without a valid shell?
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Tue, 04 Dec 2001 16:38:50 +0100 (CET)
  • Message-id: <XFMail.011204163850.bolo@xxxxxxx>
Hi John,

On 01-Dec-01 John Ritchie wrote:
> OK, I'm _Really_ behind in my suse-security reading. I hope everybody
> hasn't already moved past this onto better things.
> On Tue, 6 Nov 2001, Boris Lorenz wrote:
>> Hi,
>> On 06-Nov-01 Thorsten Marquardt wrote:
>> > Hi List,
>> >
>> > I like to offer some customers a kind off sftp account but to deny any
>> > login
>> > to this accounts. So I thought about having /bin/false as shell in
>> > /etc/passwd
>> > but this prevents sftp to. What can I do?
>> offer a shell called ssh-dummy-shell, which provides any hooks
>> for
>> secure file transfer via sftp, but denies access to a real shell. Just
>> replace
>> the std shell entry in your /etc/passwd with it.
>> Other shells (e. g. /bin/false) won't work because sftp actually uses a
>> normal
>> ssh tunnel to transmit data, so it needs a more special treatment like std
>> ftp.
>> This ssh-dummy-shell is part of the SSH server package, and also of the
>> Windows
>> Client-Pack (which also includes all server components).
>> However, the Win-Client-Pack isn't free.
>> > Thanks in advance
>> >
>> > Thom
>> Boris Lorenz <bolo@xxxxxxx>
>> ---
> I tried the ssh-dummy-shell from but it didn't interoperate with
> openssh although it worked perfectly on some of our systems that were
> running's SSH server. I didn't try a PAM approach.
> The way I solved this (on Solaris with Openssh) was to set the sftp-only
> user's shell to be the sftp-server binary (/usr/local/libexec/sftp-server
> on my Solaris openssh build). I did not have to add this to /etc/shells.
> I haven't tried this on a SuSE box.

I've tried it on one of our linux boxes, and it doesn't work. The error:

"Warning: ssh_packet_wrapper_input: invalid packet received: len 1819239269
closing the offending input channel."

(Btw., the same error occurs with shells like false, noshell, etc.).

Maybe Solaris "wraps" sftp/ssh sessions differently than Linux. According to
sftp's (Linux-)man page, sftp uses a sub-system from sshd to transfer files
securely. I don't know much about the ssh implementation on Solaris, tho.

> The above solution has been working for several months without a hitch.
> My sftp-only users are connecting with's commercial winblows ssh
> client, v. 3.0.x but I tested it with v 2.4 and also with linux and
> solaris openssh clients.
> If I missed some security implication in the above approach let me know.

Hmm, couldn't think of any. AFAIK sftp was tested against some common
security problems, just like ssh(d). Since sftp does not offer shell escapes, it
should be no risk.

> John Ritchie

Boris Lorenz <bolo@xxxxxxx>

< Previous Next >