RE: ssh.com sshd 3.2.x, really enforcing sftp-only

From: Mark Senior (Mark.Senior_at_gov.ab.ca)
Date: 04/25/05

Next message: Dinesh Garg: "Unable to start server"

Previous message: Pfister, Thomas P: "RE: ssh.com sshd 3.2.x, really enforcing sftp-only"
Maybe in reply to: Mark Senior: "ssh.com sshd 3.2.x, really enforcing sftp-only"
Next in thread: Sonsurkar, Jayant: "RE: ssh.com sshd 3.2.x, really enforcing sftp-only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 25 Apr 2005 11:22:40 -0600
To: <secureshell@securityfocus.com>

Hello again

Thanks for the help some have already offered. A quick update - it's
apparently slightly worse than I thought.

With plink/putty, this doesn't work, but with openssh it does (my tests
were from OS X and Solaris, other platforms should behave the same):

ssh user@host cmd

gives a full interactive shell. Grr.

In my testing, at least I wasn't able to execute programs kept on shares
accessible to the ssh server with

ssh user@host \\server\share\program.exe

so locking down the permissions on the server itself should be
reasonably complete.

I've found plenty of discussion of how to do this on a *nix server -
just change your users' shells in /etc/passwd to /sbin/sftp-server (or
wherever the sftp-server binary is kept), or to a simple program that
will exit with an error message if its arguments are anything but "-c
sftp-server".

Apparently you can do the same thing using openssh + cygwin, since it
involves making a "dummy" /etc/passwd file for cygwin programs to check.

Regards
Mark Senior

---End sensible content---

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

Next message: Dinesh Garg: "Unable to start server"

Previous message: Pfister, Thomas P: "RE: ssh.com sshd 3.2.x, really enforcing sftp-only"
Maybe in reply to: Mark Senior: "ssh.com sshd 3.2.x, really enforcing sftp-only"
Next in thread: Sonsurkar, Jayant: "RE: ssh.com sshd 3.2.x, really enforcing sftp-only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

openssh to openssh scp ssh1 compatibility mode error
... i am aware of the ssh1 compatibility mode error problem when using scp ... to transfer files from an openssh client to a commercial ssh server. ...
(comp.security.ssh)
Re: two SSH compatibility scenarios: can it work?
... We are required to use SSH to log into the Engineering lab machines. ... > server software displays this header upon telnet connection to port 22. ... I still use Windows on my notebook for application compatibility. ... > running OpenSSH 3.4p1. ...
(comp.security.ssh)
Re: SSH
... >> OpenSSH client, SSH server will report at least one or more implementation ... When using an SSH client to ...
(comp.unix.solaris)
Re: Zugriff auf Linux via SSH
... Es gibt natürlich freie SSH Tools (Putty, OpenSSH), die aber leider erst ... Somit hat sich unser Projekt immer zweigeteilt - halt die Server ... Applikation auf dem eigentlichen Server und dann auf den per SSH ...
(microsoft.public.de.german.entwickler.dotnet.csharp)
Re: Trouble with X11 over SSH on Mandriva 2010.0
... If next clean install/update causes ssh to break, ... installed the sshd daemon/service package (OpenSSH Server) on the server. ... correct values for client and server. ...
(comp.os.linux.networking)