Re: SFTP

From: Derek Martin (code_at_pizzashack.org)
Date: 08/06/03

Next message: Derek Martin: "Re: Need sshd running in debug mode with multiple connections"

Previous message: Chris Macneill: "RE: Need sshd running in debug mode with multiple connections"
In reply to: Ranjeet Shetye: "Re: SFTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 6 Aug 2003 13:18:34 -0400
To: secureshell@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Aug 05, 2003 at 10:46:37AM -0700, Ranjeet Shetye wrote:
[My earlier comments snipped]
> >The problem here is that when you sftp to a host, sshd starts a copy
> >of the user's shell, with the command-line options appropriate for
> >running sftp-server, the server-side portion of sftp. Essentially:
> >
> > /path/to/shell -c /path/to/sftp-server
> >
> >Your version of a shell will not allow this to work.
[more snippage]
> hi,
>
> what about just using a simple "/bin/false" for the login shell for
> user ids that I dont want to log in but which I setup for sFTP ? that's

This will work fine if you want to completely disable the account, but
it will NOT work if you want to allow sftp, for exactly the same
reasons as stated above. For sftp/scp to work, the user's shell MUST
allow the execution of commands, and MUST accept the -c option to
specify what command to run.

If you need this, you'll want to use something like rssh:

http://www.pizzashack.org/rssh/

rssh mimics the functionality of a normal shell, but only allows the
execution of scp and/or sftp-server, depending on how you configure
it. Any other method besides that used by rssh will simply not work.
Another program which works (which does basically the same thing as
rssh) is scponly.

- --
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0xDFBEAD02

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/MThqdjdlQoHP510RAoFkAJ9lGT3ZhLFNtfVYMLMx9YdXGLv1TQCfeo8i
ob2QCBWrWNyCSc67NziQWmg=
=u6Kg
-----END PGP SIGNATURE-----

Next message: Derek Martin: "Re: Need sshd running in debug mode with multiple connections"

Previous message: Chris Macneill: "RE: Need sshd running in debug mode with multiple connections"
In reply to: Ranjeet Shetye: "Re: SFTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: limiting shell access with ssh, allowing sftp
... rssh for SFTP: either way, ... not support SFTP, though now it does. ... limiting shell access with ssh, ... I would like to disable remote shell access via OpenSSH for a certain ...
(SSH)
Re: Very safe FTPD?
... commands, no access to the whole filesystem, etc)? ... Just use sftp and rssh: ...
(comp.os.linux.misc)
Re: Securing Debian Manual: 5.1.4 Restricing access to file transfer only
... Give users a restricted shell such as scponly or rssh. ... shells restrict the commands available to the users so that they are ...
(Debian-User)
Re: [opensuse] SFTP performance degradation under Dolphin and Konqueror
... Dolpin and konqueror use kio_sftp to use the sftp protocol. ... the libssh library. ... For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx ... In KDE < 4.3 times, kio_sftp called the sftp command line binary. ...
(SuSE)
SUMMARY: Non-interactive sftp
... whilst not allowing an interactive shell for this use. ... I had neglected to consider that sftp is simply an ssh subsystem - ... All of my research has led me to believe this is a permissions ... permissions on the mount-point where the destination filesystem ...
(SunManagers)