RE: ssh.com sshd 3.2.x, really enforcing sftp-only

Hello again

Thanks for the help some have already offered.  A quick update - it's
apparently slightly worse than I thought.  

With plink/putty, this doesn't work, but with openssh it does (my tests
were from OS X and Solaris, other platforms should behave the same):

ssh user@host cmd

gives a full interactive shell.  Grr.

In my testing, at least I wasn't able to execute programs kept on shares
accessible to the ssh server with

ssh user@host \\server\share\program.exe

so locking down the permissions on the server itself should be
reasonably complete.

I've found plenty of discussion of how to do this on a *nix server -
just change your users' shells in /etc/passwd to /sbin/sftp-server (or
wherever the sftp-server binary is kept), or to a simple program that
will exit with an error message if its arguments are anything but "-c
sftp-server".

Apparently you can do the same thing using openssh + cygwin, since it
involves making a "dummy" /etc/passwd file for cygwin programs to check.

Regards
Mark Senior

---End sensible content---

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.