Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Ah yes, sorry, I *did* intend to copy in the source if the refusal message. :-) Here's what you'd add. There could be something else to this, but I didn't see any symlink trickery. This setup allows specific users (determined by their login shell). Out of curiosity, I have not found any way to defeat this, if my only "account" is one of these rbash-designated accounts. # cat /etc/ssh/sshrc if [ $SSH_TTY ]; then usershell=`finger -m $USER | grep Shell | awk '{print $4}'` if [ $usershell == "/bin/rbash" ]; then echo echo "We're sorry, but you do not have shell access to this mach ine." echo "Please contact the system administrator for support." echo kill -TERM $PPID else echo "Hello World" fi fi ################################################### # (yeah, I know there's an extra grep up there but it's Not My Code :-) I also looked at /etc/profile; it seemed fairly standard. _Scott -----Original Message----- From: Alex Pennace [mailto:alex at pennace.org] Sent: Saturday, July 27, 2002 4:02 AM To: Scott Prive Cc: Struts User; discuss at blu.org Subject: Re: allowing scp but not ssh (here's how) On Fri, Jul 26, 2002 at 10:15:29AM -0400, Scott Prive wrote: > 3) Attempt remote ssh login > Administrator at PRIVES ~/temp-area > $ ssh qatest at tower15 > qatest at tower15's password: > > We're sorry, but you do not have shell access to this machine. > Please contact the system administrator for support. > > Connection to tower15 closed. > > Administrator at PRIVES ~/temp-area > $ > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > > > Did I miss something Alex, or does your circumvention method perhaps not work with rbash as the shell? I don't have enough information to recreate your setup exactly, in particular rbash by itself doesn't issue the message, "We're sorry, but you do not have shell access to this machine. Please contact the system administrator for support," so your rbash may be modified. Stock rbash reads its initialization files, then prevents people from running programs outside their path or using cd to change directories. Normally you would populate ~/bin/ with symlinks to the binaries you want the user to use, and use ~/.bash_profile to force ~/bin/ to be the user's PATH. This fails if the user can copy files to ~ or ~/bin/, since they can reset ~/.bash_profile or add executables to ~/bin/.
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |