Restricting sftp

From: Leland T. Snyder (ltsnyder@x3ci.com)
Date: 02/24/03

  • Next message: Marc-Oliver Kalis: "Force Binary on OpenSSH 3.5P1-1"
    From: "Leland T. Snyder" <ltsnyder@x3ci.com>
    To: <secureshell@securityfocus.com>
    Date: Mon, 24 Feb 2003 12:27:31 -0500
    
    

    I hope there is an easy answer to this question.

    I'm using OpenSSH on RedHat 8.0 (i386) and I have all the most recent patchs

    [root@base04 root]# rpm --query --all | grep openssh
    openssh-3.4p1-2
    openssh-server-3.4p1-2
    openssh-askpass-gnome-3.4p1-2
    openssh-clients-3.4p1-2
    openssh-askpass-3.4p1-2
    [root@base04 root]#
    [root@base04 root]# rpm --query --all | grep bash
    bash-2.05b-5
    [root@base04 root]#

    When you enable a user for sftp it seems they are only restricted by
    file/directory permissions.
    Can you add the restrictions of rbash (i.e. Restricted Bash) or some other
    simple means to restrict the locations that a person can exchange files
    from?

    I'm sure there is a simple answer to theis question, and thank you in
    advance for your help. I just can't find any thing like this documented,
    and I'm not sure if I set /usr/sbin/rbash as the default shell for the sftp
    login that, that will allow me to restrict sftp access by that id.

    -Leland



    Relevant Pages

    • creating an sftp folder
      ... Is it possible to set up sftp for a single user on my machine, and restrict ... them to their home directory-tree? ...
      (Fedora)
    • Re: Restricting sftp commands
      ... > restrict what they can actually do. ... The trick, of course, is that if they are using sftp, they can change ... You have to make the permissions really restrictive to ...
      (SSH)
    • Re: [opensuse] Consistency with power privileges
      ... normal user cannot hibernate the system... ... Only root should be able to suspend the system. ... Any true operating system will restrict system services (particularly those ... systems in every sense of the word (very much unlike windoze). ...
      (SuSE)
    • RE: Blackhole
      ... > So why NOT restrict direct root access? ... >> force hacking of any kind on that account. ...
      (RedHat)
    • Re: Prevent Root access from database
      ... rather than connecting using OS authentication, but the key thing is it forces you to enter the password. ... root could still create the groups. ... The main idea seems to be for me very like as to restrict dba to access the database. ...
      (comp.databases.oracle.server)