Re: [Freebsd-security] Re: Multi-User Security
From: Crist J. Clark (cristjc_at_comcast.net)
Date: 06/09/04
- Previous message: Crist J. Clark: "Re: syslogd(8) Dropping Privs"
- In reply to: Doug Barton: "Re: [Freebsd-security] Re: Multi-User Security"
- Next in thread: Bruce M Simpson: "Re: [Freebsd-security] Re: Multi-User Security"
- Reply: Bruce M Simpson: "Re: [Freebsd-security] Re: Multi-User Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Jun 2004 07:52:23 -0700 To: Doug Barton <DougB@FreeBSD.org>
On Wed, Jun 09, 2004 at 05:03:02AM -0700, Doug Barton wrote:
> On Mon, 7 Jun 2004, Crist J. Clark wrote:
>
> >On Sun, Jun 06, 2004 at 11:38:55PM -0700, Doug Barton wrote:
> >>On Wed, 19 May 2004, Dan Rue wrote:
> >>
> >>>You obviously havn't tried to chroot scponly users.. _that's_ the tricky
> >>>part. Especially if you want it to scale up beyond a handful of users.
> >>>If i'm wrong - fill me in i'd love to hear how to do it.
> >>
> >>Have you considered using ~/.ssh/authorized_keys to restrict the account
> >>from tty access? This would allow you to do commands (like scp) without
> >>the risk of the user getting an actual shell.
> >
> > $ ssh host /bin/sh
> >
> >You don't need a tty to get an interactive shell.
>
> You can also enforce what commands the user can run to prevent this.
> Read sshd(8) for more information.
If you are talking about the "command" option for an authorized key,
that is a useful functionality, but it does not really apply to the
scp(1) case. If there is some other way to restrict the commands
a user can execute via sshd(8) (besides passing the user to a
restricted shell or other external control), I'm sorry, but I'm not
catching on.
Using command restrictions for authorized keys doesn't work for scp(1)
since doing,
$ scp host1:file1 file2
Actually runs,
$ ssh host1 scp -f file1
As far as the SSH client-server interaction goes, you cannot specify
a command in the authorized keys file and still have scp(1) work.
Also due to the fact scp(1) works in this manner, any "scp-only" setup
has to be able to defeat,
$ ssh host1:'file1; command arg1 ..' file2
For example, try,
$ scp host1:'/etc/motd; touch scp_test' /dev/null
And check for 'scp_test' in the user's home directory on the server.
To do scp-only, you either need (a) a hacked up sshd(8) daemon, (b) a
jailed environment, or (c) a special shell for the user that only allows
scp(1) to run. The funny thing is, I think (c) is probably the easiest
to implement on a mass scale, but seems to be the option most seldom
considered.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Crist J. Clark: "Re: syslogd(8) Dropping Privs"
- In reply to: Doug Barton: "Re: [Freebsd-security] Re: Multi-User Security"
- Next in thread: Bruce M Simpson: "Re: [Freebsd-security] Re: Multi-User Security"
- Reply: Bruce M Simpson: "Re: [Freebsd-security] Re: Multi-User Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
