Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On 10/20/06 17:03, Tom Metro wrote: > Bob - BLU wrote: >> With a little bit of tinkering I have discovered that replacing the >> user login shell with a bash script allows me control scp and sftp... > > I would expect that there are config file settings to control those as > well. Well, the sftp subsystem can be disabled, globally. But not scp to my knowledge. I suspect sftp may work with PAM. I don't know about scp and PAM. Even if scp can be disabled on a per user basis, the user can still do stuff like: ssh user at host 'cat /etc/passwd' Changing the login shell seems to be a pretty good way to get control over this. >> Port forwarding is another matter though. How to disable that on a per >> user/group basis? > > Have you found config file settings to disable port forwarding? (I would > assume there are.) On a global basis, yes. > So I assume your question is mostly about the per user/group aspect of > the problem. With the significant differences in capabilities you want > from sshd, it seems like your best option would be to run two instances. > The version for administrators can use a less restrictive config file > (but of course have the list of permitted users be limited) and run on > an alternate port or IP. Not necessarily my preferred solution, but that is a valuable idea. Thanks! Anyone else? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |