Telnet to SSH migration

Bill Ricker bill.n1vux at gmail.com
Sat Oct 21 13:05:54 EDT 2006


> I am deprecating the use of telnet for ssh.
>  However, I need to limit the capabilities provided by ssh down

If you set their "shell" in /etc/passwd, as with telnet, it should
work the same.

I'm told RSH and Chroot can make a very effective jail for restricted users.

> no scp, no sftp,

They don't have FTP today?  When stamping out insecure telnet, it's
time to stamp out insecure FTP with SCP too. (There is also  an
scp-only variant for FTP-replacement incoming-file accounts, to
prevent SCP users from doing SSH remote commands or SSH shell. But I
rather like SCP users to be able to do an "ssh ls")


If the default PATH doesn't have the scp/sftp binaries, I think those
are blocked too.

If the user can only run a few commands, I wonder what good
port-forwarding would do the users, or what harm it would do. They
can't run something that connects to the port they're back-forwarding.
If they can connect to port 22, they probably can connect to port 25
too, so forward forwarding buys them little.  -- unless the system is
in a fire-wall protected location, or there are some ports that react
differently to connects from localhost.

If you really want your users in a jail, why give them unix ids at
all? A web portal with their 5 commands on it keeps them in an even
simpler jail.


-- 
Bill
n1vux at arrl.net bill.n1vux at gmail.com

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the Discuss mailing list