Re: openssh: Enabling sftp, but disabling ssh?



Derek Martin wrote:
I will say I wrote rssh in part because I thought Joe's approach to
scponly was more complicated and hard to audit

I did stop using rssh as whenever I tried to access ~ on the remote end
it would cause an error message that /chroot/home/user didn't exist;
which, of course, it doesn't from within the chroot. Whereas scponly
would reject ~ with an error regarding wildcards, which was less
confusing for users.

However! This thread has just made me realise that a symlink inside the
chroot linking /chroot/chroot to /chroot (Or rather chroot to . within
/chroot) means that rssh works perfectly again! So I've gone back to
using it again! :)

I did consider modifying rssh so that it substitutes the user's home
path from the chroot's passwd file for ~ but that may not be appropriate
for all circumstances and the symlink is easy enough to implement.

Take care,

Ben



Relevant Pages

  • rssh and scponly arbitrary command execution
    ... rssh and scponly are restricted shells that are designed to allow execution ... arbitrary command execution on the remote host is ... These options allow the user to specify the location of the shell to use ...
    (Bugtraq)
  • Re: rssh and scponly arbitrary command execution
    ... I just released rssh version 2.2.3 to fix the problem detailed below. ... > rssh and scponly are restricted shells that are designed to allow execution ... arbitrary command execution on the remote host is ...
    (Bugtraq)
  • Re: rssh and scponly arbitrary command execution
    ... I just released rssh version 2.2.3 to fix the problem detailed below. ... > rssh and scponly are restricted shells that are designed to allow execution ... arbitrary command execution on the remote host is ...
    (SSH)
  • [fwd: Re: rssh and scponly arbitrary command execution]
    ... rssh and scponly arbitrary command execution ... I just released rssh version 2.2.3 to fix the problem detailed below. ... arbitrary command execution on the remote host is ...
    (SSH)