RE: ACL problems, any suggestions would be great

From: Turner, Carl H [NTK] (Carl.H.Turner_at_mail.sprint.com)
Date: 08/16/04

  • Next message: +ACI-Nguyen, David M+ACI-: "Changing user password remotely using SSH script"
    Date: Mon, 16 Aug 2004 10:01:04 -0500
    To: "ALERT" <Alert@sifycorp.com>, <robert.lanning@gmail.com>, <secureshell@securityfocus.com>
    
    

    With a shared account? Yes. You can use multiple keys in your
    authorized_keys (OpenSSH). If the user has a matching private, it'll key
    it. If there's no match, password will be prompted for.

    As for running a single command once the user auths. (Just posted on
    this) Look into the command="" option for the authorized_keys (OpenSSH)
    file.

    -Carl

    -----Original Message-----
    From: ALERT [mailto:Alert@sifycorp.com]
    Sent: Thursday, August 12, 2004 12:18 AM
    To: robert.lanning@gmail.com; secureshell@securityfocus.com
    Subject: Fw: ACL problems, any suggestions would be great

    Can anybody help me in this matter?

    Is there any way to authenticate one user through key and another user
    through password?

    Any suggestions?

    Regds,
    Pravin

    ----- Original Message -----
    From: "Robert Hajime Lanning" <robert.lanning@gmail.com>
    To: <secureshell@securityfocus.com>
    Sent: Thursday, August 12, 2004 6:12 AM
    Subject: Re: ACL problems, any suggestions would be great

    > For authentication you can look into:
    >
    > RhostsRSAAuthentication yes
    > HostbasedAuthentication yes
    >
    > As for restricting to execution of a single command, I don't think
    > OpenSSH can do it.
    > I think the comercial SSH from http://www.ssh.com/ can.
    >
    > On Tue, 10 Aug 2004 13:57:35 -0400 (EDT), Bryan Loniewski
    > <brylon@jla.rutgers.edu> wrote:
    > >
    > > Here is what we'd like to do:
    > >
    > > User logs into some machine (frontend) starts pine, pine ssh's to
    another machine
    > > (backend) where their mail is actually stored in Maildir format and
    exec
    /etc/rimapd.
    > > We want to do this without the user having to enter a password again
    on
    the backend
    > > machine.
    > >
    > > Here are the problems:
    > >
    > > We don't want to use public-key.
    > > We don't want these users (the ones typing pine) to be allowed to
    login
    to the remote
    > > machine (backend).
    > > We don't want them to be allowed to execute any commands on the
    remote
    machine (with the
    > > exception of "exec /etc/rimapd".
    > >
    > > I could not come up with a solution to solve this problem with
    openssh.
    I started looking
    > > for other open implementations of secure shell and lsh caught my
    eye.
    Lsh appealed to me
    > > because you could specify a login shell for all users that would
    override the login shell
    > > in the passwd db (this was perfect since we could then create a
    shell
    called rimapd and
    > > it just executed /etc/rimapd). The reason I could not go with this
    solution is lsh
    > > does not have trusted host authentication mechanisms, so there was
    no
    way to have
    > > passwordless logins.
    > >
    > > Any suggestions?
    > >
    > > Thanks.
    > >
    > > Bryan
    > >
    >
    >
    > --
    > END OF LINE
    > -MCP
    >


  • Next message: +ACI-Nguyen, David M+ACI-: "Changing user password remotely using SSH script"

    Relevant Pages

    • Re: ACL problems, any suggestions would be great
      ... As for restricting to execution of a single command, ... > I could not come up with a solution to solve this problem with openssh. ... > because you could specify a login shell for all users that would override the login shell ...
      (SSH)
    • Re: ACL problems, any suggestions would be great
      ... > As for restricting to execution of a single command, ... >> I could not come up with a solution to solve this problem with openssh. ... >> because you could specify a login shell for all users that would override the login shell ... >> passwordless logins. ...
      (SSH)
    • Re: [Full-Disclosure] new ssh exploit?
      ... Bennett Todd wrote: ... > Another incentive to ditch openssh altogether. ... > lsh doesn't use openssl. ... > It's ssh v2 only; I think that's a transition whose time has come. ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Remote root in LSH
      ... >>After reading about a theoretical remote hole in OpenSSH and many ... >>detractors smugly saying that they weren't vulnerable because they run LSH ...
      (Full-Disclosure)
    • Force ssh to -always- use X-based password acceptance?
      ... Is there a way to force an ssh client (openssh, lsh, whatever) to -always- ... ask for your password and other questions, using an X-based interaction, ...
      (comp.security.ssh)