Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Telnet to SSH migration

> I am deprecating the use of telnet for ssh.
>  However, I need to limit the capabilities provided by ssh down

If you set their "shell" in /etc/passwd, as with telnet, it should
work the same.

I'm told RSH and Chroot can make a very effective jail for restricted users.

> no scp, no sftp,

They don't have FTP today?  When stamping out insecure telnet, it's
time to stamp out insecure FTP with SCP too. (There is also  an
scp-only variant for FTP-replacement incoming-file accounts, to
prevent SCP users from doing SSH remote commands or SSH shell. But I
rather like SCP users to be able to do an "ssh ls")

If the default PATH doesn't have the scp/sftp binaries, I think those
are blocked too.

If the user can only run a few commands, I wonder what good
port-forwarding would do the users, or what harm it would do. They
can't run something that connects to the port they're back-forwarding.
If they can connect to port 22, they probably can connect to port 25
too, so forward forwarding buys them little.  -- unless the system is
in a fire-wall protected location, or there are some ports that react
differently to connects from localhost.

If you really want your users in a jail, why give them unix ids at
all? A web portal with their 5 commands on it keeps them in an even
simpler jail.

n1vux at bill.n1vux at

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /