 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
> I am deprecating the use of telnet for ssh. > However, I need to limit the capabilities provided by ssh down If you set their "shell" in /etc/passwd, as with telnet, it should work the same. I'm told RSH and Chroot can make a very effective jail for restricted users. > no scp, no sftp, They don't have FTP today? When stamping out insecure telnet, it's time to stamp out insecure FTP with SCP too. (There is also an scp-only variant for FTP-replacement incoming-file accounts, to prevent SCP users from doing SSH remote commands or SSH shell. But I rather like SCP users to be able to do an "ssh ls") If the default PATH doesn't have the scp/sftp binaries, I think those are blocked too. If the user can only run a few commands, I wonder what good port-forwarding would do the users, or what harm it would do. They can't run something that connects to the port they're back-forwarding. If they can connect to port 22, they probably can connect to port 25 too, so forward forwarding buys them little. -- unless the system is in a fire-wall protected location, or there are some ports that react differently to connects from localhost. If you really want your users in a jail, why give them unix ids at all? A web portal with their 5 commands on it keeps them in an even simpler jail. -- Bill n1vux at arrl.net bill.n1vux at gmail.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
