Telnet to SSH migration
Bob - BLU
blu at scrunch.net
Fri Oct 20 18:30:17 EDT 2006
On 10/20/06 17:03, Tom Metro wrote:
> Bob - BLU wrote:
>> With a little bit of tinkering I have discovered that replacing the
>> user login shell with a bash script allows me control scp and sftp...
>
> I would expect that there are config file settings to control those as
> well.
Well, the sftp subsystem can be disabled, globally. But not scp to my knowledge.
I suspect sftp may work with PAM. I don't know about scp and PAM.
Even if scp can be disabled on a per user basis, the user can still do stuff like:
ssh user at host 'cat /etc/passwd'
Changing the login shell seems to be a pretty good way to get control over this.
>> Port forwarding is another matter though. How to disable that on a per
>> user/group basis?
>
> Have you found config file settings to disable port forwarding? (I would
> assume there are.)
On a global basis, yes.
> So I assume your question is mostly about the per user/group aspect of
> the problem. With the significant differences in capabilities you want
> from sshd, it seems like your best option would be to run two instances.
> The version for administrators can use a less restrictive config file
> (but of course have the list of permitted users be limited) and run on
> an alternate port or IP.
Not necessarily my preferred solution, but that is a valuable idea. Thanks!
Anyone else?
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Discuss
mailing list