Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ssh.com sshd 3.2.x, really enforcing sftp-only

from [Robert L Sowders] Network Security [Permanent Link]
Subject: RE: ssh.com sshd 3.2.x, really enforcing sftp-only
Date: Tue, 26 Apr 2005 10:34:29 -1000 
I've seen lot's of discussion on this topic.

IMHO, there are only two real ways to do what you want, write a custom 
shell, or use PKI logins that limit what can be done with the key.  Using 
PKI logins and limiting what can be done with the key and then forcing a 
command with the key is usually the best way but it is fraught with 
configuration overhead for each user.

You can limit the key and force a command like authprogs, (which is a 
custom perl script), and you have a very secure and easily configured 
solution.  There is a great write up about it in Linux Hacking Exposed. 
Quite old but still valid.  As far as the hassle of having users make the 
keys and send you the public part then editing each one, there is nothing 
to prevent you from making one key locally, keeping the public part, 
(which you customized), and sending the private part to your users.

See part 3 of the article to learn how to limit the key 
http://www.hackinglinuxexposed.com/articles/20030109.html
See part 4 of the article to get and learn about the authprogs perl 
script.  http://www.hackinglinuxexposed.com/articles/20030115.html

This will help, I've instituted something like the above for a rather 
larger user base.

rls





"Mark Senior" <Mark.Senior@gov.ab.ca>
04/25/2005 07:22 AM

 
        To:     <secureshell@securityfocus.com>
        cc: 
        Subject:        RE: ssh.com sshd 3.2.x, really enforcing sftp-only


Hello again

Thanks for the help some have already offered.  A quick update - it's
apparently slightly worse than I thought. 

With plink/putty, this doesn't work, but with openssh it does (my tests
were from OS X and Solaris, other platforms should behave the same):

ssh user@host cmd

gives a full interactive shell.  Grr.

In my testing, at least I wasn't able to execute programs kept on shares
accessible to the ssh server with

ssh user@host \\server\share\program.exe

so locking down the permissions on the server itself should be
reasonably complete.

I've found plenty of discussion of how to do this on a *nix server -
just change your users' shells in /etc/passwd to /sbin/sftp-server (or
wherever the sftp-server binary is kept), or to a simple program that
will exit with an error message if its arguments are anything but "-c
sftp-server".

Apparently you can do the same thing using openssh + cygwin, since it
involves making a "dummy" /etc/passwd file for cygwin programs to check.

Regards
Mark Senior

---End sensible content---

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for 
the individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ssh.com sshd 3.2.x, really enforcing sftp-only, Sonsurkar, Jayant
Next by Date:  scp and prompting for password, DDecounter
Previous by Thread:  RE: ssh.com sshd 3.2.x, really enforcing sftp-only, Sonsurkar, Jayant
Next by Thread:  pam_get_data / pam_set_data in a PAM module does not work with sshd, Kala B
Indexes:  [Date] [Thread] [Top] [All Lists]