RE: ssh.com sshd 3.2.x, really enforcing sftp-only
From: Mark Senior (Mark.Senior_at_gov.ab.ca)
Date: Mon, 25 Apr 2005 11:22:40 -0600 To: <email@example.com>
Thanks for the help some have already offered. A quick update - it's
apparently slightly worse than I thought.
With plink/putty, this doesn't work, but with openssh it does (my tests
were from OS X and Solaris, other platforms should behave the same):
ssh user@host cmd
gives a full interactive shell. Grr.
In my testing, at least I wasn't able to execute programs kept on shares
accessible to the ssh server with
ssh user@host \\server\share\program.exe
so locking down the permissions on the server itself should be
I've found plenty of discussion of how to do this on a *nix server -
just change your users' shells in /etc/passwd to /sbin/sftp-server (or
wherever the sftp-server binary is kept), or to a simple program that
will exit with an error message if its arguments are anything but "-c
Apparently you can do the same thing using openssh + cygwin, since it
involves making a "dummy" /etc/passwd file for cygwin programs to check.
---End sensible content---
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.