[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: users ssh access

From: Alan Peery <peery io com>
To: redhat-list redhat com
Subject: Re: users ssh access
Date: Fri Nov 22 07:30:40 2002

Ed Wilts wrote:

Here's the problem, and I'll let you suggest some solutions that are
actually secure.

Sounds fun. :-)

Allow hundreds of authenticated users scattered throughout the Internet to transfer files. Restrict uploads to pre-determined directories and downloads to other pre-determined directories. Allow automated processes to easily do this. Trivial to do with wu-ftpd and the ftpaccess file, but I've never found a way to allow an scp to honor any sort of directory restrictions. If any user has scp/sftp access, then they can simply use this or remote command execution to grab my system password file,

This sounds like a call for modifying the source of sshd. After sshd authenicates a user, it should be able to look at the users home directory in /etc/passwd. If it contains the character pattern that indicates to ftpd that it should operate chroot'd (././dir IIRC), then disallow remote command execution, run a different command/function when the ssh stream contains file transfers that operates chroot'd, and disallow any attempt at port forwarding.

It seems a relatively simple set of mods for sshd, and I am surprised that the OpenSSH people aren't interested. Perhaps there is something in the structure of the code that would make it unexpectedly difficult.

Alan
--
Alan Peery
peery io com

Follow-Ups:
- Re: users ssh access
  - From: Will Mc Donald

References:
- Re: users ssh access
  - From: Ed Wilts
- Re: users ssh access
  - From: R P Herrold
- Re: users ssh access
  - From: Ed Wilts

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]