RE: ssh.com sshd 3.2.x, really enforcing sftp-only

From: Mark Senior (Mark.Senior_at_gov.ab.ca)
Date: 04/25/05

  • Next message: Dinesh Garg: "Unable to start server"
    Date: Mon, 25 Apr 2005 11:22:40 -0600
    To: <secureshell@securityfocus.com>
    
    

    Hello again

    Thanks for the help some have already offered. A quick update - it's
    apparently slightly worse than I thought.

    With plink/putty, this doesn't work, but with openssh it does (my tests
    were from OS X and Solaris, other platforms should behave the same):

    ssh user@host cmd

    gives a full interactive shell. Grr.

    In my testing, at least I wasn't able to execute programs kept on shares
    accessible to the ssh server with

    ssh user@host \\server\share\program.exe

    so locking down the permissions on the server itself should be
    reasonably complete.

    I've found plenty of discussion of how to do this on a *nix server -
    just change your users' shells in /etc/passwd to /sbin/sftp-server (or
    wherever the sftp-server binary is kept), or to a simple program that
    will exit with an error message if its arguments are anything but "-c
    sftp-server".

    Apparently you can do the same thing using openssh + cygwin, since it
    involves making a "dummy" /etc/passwd file for cygwin programs to check.

    Regards
    Mark Senior

    ---End sensible content---

    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.


  • Next message: Dinesh Garg: "Unable to start server"