Re: Restricting Secure Copy
From: Nico Kadel-Garcia (nkadel@bellatlantic.net)Date: 02/26/02
- Next message: Vincent Goupil: "OpenSSH 2.9 on FreeBSD 4.5"
- Previous message: hyatts@hursley.ibm.com: "setting sshd default user $PATH"
- In reply to: Ettiene Detroit: "Restricting Secure Copy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Nico Kadel-Garcia" <nkadel@bellatlantic.net> Date: Tue, 26 Feb 2002 14:12:38 GMT
"Ettiene Detroit" <edetroit@kiss.my.ass.spammer.com> wrote in message
news:3C7B2128.CC7E952B@kiss.my.ass.spammer.com...
> I searched on the web and did not find this mentioned anywhere so...
>
> I am setting up a system to allow a secure file transfers from a client
> to my employer's servers. Depending on how the negotiations turn out we
> will either push the return data back or they will pull it. I am
> proposing to use openssh and scp with public key authentication to do
> the file transfers.
>
> After experimenting with chrooting the ssh login I hit upon using smrsh
> to restrict the commands a client could run. I set the user shell to
> /bin/smrsh and restricted the command set to scp only. I have tested
> this for both push and pull and it works nicely. So far I have been
> unable to break it and run anything other than scp but there are
> probably tricks I do not know about.
>
> I have two questions:
>
> 1. Does anyone know of a way to break this and actually get a login
> shell or run other commands?
Not offhand, but different smrsh's are old enough and poorlt written enough
to have holes.
> 2. Is there anyway to prevent the client from pulling data from
> directories outside of their directory tree?
chroot cage. See my notes and tools at http://www.cag.lcs.mit.edu/~raoul/.
> The grapevine tells me that the competition has suggested using Cisco
> routers and IPSEC to establish tunnels between networks. I am not averse
> to this (I've done it before and it looks good on a resume :-) but if I
> can get this ssh trick to work we can probably come in at a lower bid.
>
> -- Stephen Carville http://www.heronforge.net/~stephen/gnupgkey.txt
Hmm. Need someone to build up the chroot cages? I could use the money...
- Next message: Vincent Goupil: "OpenSSH 2.9 on FreeBSD 4.5"
- Previous message: hyatts@hursley.ibm.com: "setting sshd default user $PATH"
- In reply to: Ettiene Detroit: "Restricting Secure Copy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
