Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Telnet to SSH migration

On 10/20/06 17:03, Tom Metro wrote:
> Bob - BLU wrote:
>> With a little bit of tinkering I have discovered that replacing the 
>> user login shell with a bash script allows me control scp and sftp...
> I would expect that there are config file settings to control those as 
> well.

Well, the sftp subsystem can be disabled, globally.  But not scp to my knowledge.

I suspect sftp may work with PAM.  I don't know about scp and PAM.

Even if scp can be disabled on a per user basis, the user can still do stuff like:

	ssh user at host 'cat /etc/passwd'

Changing the login shell seems to be a pretty good way to get control over this.

>> Port forwarding is another matter though. How to disable that on a per 
>> user/group basis?
> Have you found config file settings to disable port forwarding? (I would 
> assume there are.)

On a global basis, yes.

> So I assume your question is mostly about the per user/group aspect of 
> the problem. With the significant differences in capabilities you want 
> from sshd, it seems like your best option would be to run two instances. 
>  The version for administrators can use a less restrictive config file 
> (but of course have the list of permitted users be limited) and run on 
> an alternate port or IP.

Not necessarily my preferred solution, but that is a valuable idea.  Thanks!

Anyone else?

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /