I forgot to mention that we're using RHEL AS3 (currently at update 8)
and RHEL AS4 (currently at update 4). Does scponly support these
distributions?
From a quick read of the scponly web page:
- it seems to indiate that SFTP will work as well--is that actually the
case?
- it appears to require a chroot'd environment. If this is the case,
then I assume that the target dropbox will have to be in that users's
chroot'd environment. If so, then I assume it would make sense to
replace the global dropbox that the rest of the system/users use to be a
symbolic link to the dropbox in that user's chroot'd environment (so
they don't have to see the gory details of chroot'd environments).
- I assume this would be a patched to the openssh package? Or is it
simply installing the scponly shell on the system and pointing that user
id at that shell in /etc/passwd?
I'm busied out with another deliverable at the moment, so will dig
deeper into what you mention below in the next coupld of days
(hopefully).
By the way, the pizzashack reference seems to indicate that there are
security risks, so that concerns me. Does "scponly" have security risks
as well?
Thanks!
Mark
-----Original Message-----
From: Benjamin Donnachie [mailto:benjamin@pythagoras.no-ip.org]
Sent: Tuesday, September 05, 2006 11:53 AM
To: secureshell@securityfocus.com
Cc: Holden, Mark (RICH1:B670)
Subject: Re: openssh: Enabling sftp, but disabling ssh?
Mark Holden wrote:
Does anybody know if it's possible, using openssh, to allow file
transfer to/from a machine, using sftp, for a specific userid, and
disallow ssh login/remote command execution for that same userid?
Other userids on the machine should be unaffected.
I do exactly that on my system; you can't achieve it with OpenSSH alone
and need to use a helper allocation such as either scponly[1] or
rssh[2].
Ben
[1] http://www.sublimation.org/scponly/
[2] http://www.pizzashack.org/rssh/
