Re: allow only sftp?

From: Brian Hatch (secure-shell@ifokr.org)
Date: 04/12/03

  • Next message: Lesley Leposo: "RSA_private_encrypt"
    Date: Fri, 11 Apr 2003 15:07:35 -0700
    From: Brian Hatch <secure-shell@ifokr.org>
    To: Graeme Vetterlein <Graeme.Vetterlein@ntl.com>
    
    
    

    > > Since subsystems do: $SHELL -c $SUBSYSTEM
    >
    > If this does what it sounds like, seems a pretty dumb decision.
    >
    > I write a 'subsystem' in perl and expect the shell to be perl
    > I write a 'subsysyem' in C and don't care what shell is ruuning just
    > exec(2) me
    > I write a 'subsystem' in csh(1) and expect the shell to be csh(1)
    >
    > But no way does it make sense to run 'MY' system in the 'prefered shell' of
    > 'HIM/HER' .
    >
    > In short it's the shell that the writer of the subsystem assumed which
    > should be used
    > not the shell shell that the end user happens to like. The shell the writer
    > should
    > assume is whatever one the ssh docs tell him it will be. So:
    >
    > /bin/sh -c ${SUBSYSTEM}
    > or simply exec ${SUBSYSTEM}
    >
    > Would be more reasonable??

    Many sites set up users with specific shells that read global and
    per-user configuration files to set up their environment correctly,
    such as to set an appropriate umask, create process limits, or add
    things to your path. While you can do this in PAM as well, not every
    machine has PAM built in, and many many administrators don't know
    how to configure these things using PAM, so you'd be depriving them
    of this option.

    --
    Brian Hatch                  I have no cognitive
       Systems and                powers.  It's amazing
       Security Engineer          that I'm respirating.
    http://www.ifokr.org/bri/     --bree
    Every message PGP signed
    
    



  • Next message: Lesley Leposo: "RSA_private_encrypt"

    Relevant Pages

    • RE: allow only sftp?
      ... If this does what it sounds like, seems a pretty dumb decision. ... But no way does it make sense to run 'MY' system in the 'prefered shell' of ... The shell the writer ... The contents of this email and any attachments are sent for the personal attention ...
      (SSH)
    • Problem in file transfer over Bluetooth
      ... 327946 PID:400002 TID:5700056 Shell: call find failed! ... 327946 PID:400002 TID:2570002 Writer: woke up ... 327946 PID:400002 TID:2570002 Writer: go to sleep ...
      (microsoft.public.windowsce.platbuilder)
    • Re: Controlling imap access
      ... >> Is there ia way using pam to have user authenticate for imap access, ... > You don't need PAM for this. ... Set the user's shell to /sbin/nologin. ... It depends on the IMAP daemon. ...
      (FreeBSD-Security)
    • Re: [Resolved?]Re: Passwords dont work anywhere, SSH pubkey does. PAM problem?
      ... get a shell as well, but it's still worth looking at. ... don't pass a sha1sum test. ... and Samba's hooks into PAM got all screwed up. ... Removing the corrupted Samba databases fixed everything. ...
      (Ubuntu)
    • Re: Temporarily assign a shell to a user
      ... >these users but fetchmail doesn't work without a shell, ... Could use pam to do this I suspect. ... could crash and pam is not run on logoff I do not believe. ...
      (comp.os.linux.security)