allowing scp but not ssh (here's how)
Alex Pennace
alex at pennace.org
Sat Jul 27 04:01:44 EDT 2002
On Fri, Jul 26, 2002 at 10:15:29AM -0400, Scott Prive wrote:
> 3) Attempt remote ssh login
> Administrator at PRIVES ~/temp-area
> $ ssh qatest at tower15
> qatest at tower15's password:
>
> We're sorry, but you do not have shell access to this machine.
> Please contact the system administrator for support.
>
> Connection to tower15 closed.
>
> Administrator at PRIVES ~/temp-area
> $
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>
>
> Did I miss something Alex, or does your circumvention method perhaps not work with rbash as the shell?
I don't have enough information to recreate your setup exactly, in
particular rbash by itself doesn't issue the message, "We're sorry,
but you do not have shell access to this machine. Please contact the
system administrator for support," so your rbash may be modified.
Stock rbash reads its initialization files, then prevents people from
running programs outside their path or using cd to change
directories. Normally you would populate ~/bin/ with symlinks to the
binaries you want the user to use, and use ~/.bash_profile to force
~/bin/ to be the user's PATH. This fails if the user can copy files to
~ or ~/bin/, since they can reset ~/.bash_profile or add executables to
~/bin/.
More information about the Discuss
mailing list