allowing scp but not ssh (here's how) (WHOOPS)

[Scott.Prive at storigen.com (Scott Prive)]

Alex,

No log to paste in for my results... but you are correct.. if you allow scp, then it is trivial to copy in a zero length rc file, which will allow ssh access.

I would have thought rbash could be configured to disallow this (or ignore rc files altogether). That may or may not be possible (there is always the source), but I'm very surprised this problem has not been solved before.

Well, I learned something new today.. thanks! :-)

-Scott



-----Original Message-----
From: Scott Prive 
Sent: Tuesday, July 30, 2002 10:02 AM
To: Alex Pennace
Cc: Struts User; discuss at blu.org
Subject: RE: allowing scp but not ssh (here's how) (WHOOPS)


Sorry! I see my mistake in my response (LOL... .ssh/foo ???). I need more coffee, and I'll try this test again "for real", after lunch, and include my results.

Cheers,

Scott

-----Original Message-----
From: Alex Pennace [mailto:alex at pennace.org]
Sent: Monday, July 29, 2002 8:53 PM
To: Scott Prive
Cc: Struts User; discuss at blu.org
Subject: Re: allowing scp but not ssh (here's how)


On Mon, Jul 29, 2002 at 09:45:25AM -0400, Scott Prive wrote:
> Ah yes, sorry, I *did* intend to copy in the source if the refusal message. :-)
> 
> Here's what you'd add. There could be something else to this, but I didn't see any symlink trickery.
> 
> This setup allows specific users (determined by their login shell). Out of curiosity, I have not found any way to defeat this, if my only "account" is one of these rbash-designated accounts.
> 
> # cat /etc/ssh/sshrc
[snip]

/etc/ssh/sshrc is executed only when ~/.ssh/rc doesn't exist (at least
that's how my sshd works). Make a zero-length ~/.ssh/rc.
_______________________________________________
Discuss mailing list
Discuss at blu.org
http://www.blu.org/mailman/listinfo/discuss