[nycbug-talk] also on SSH
Okan Demirmen
okan
Sat Nov 6 21:19:56 EST 2004
On Sat 2004.11.06 at 19:49 -0500, G. Rosamond wrote:
> For OpenSSH, if you solve the hosts.allow issue, you should be fine
> with the login.conf parameters.
>
> But there's another OpenSSH option that may be useful for your
> purposes, restricting directory access with chroot with one of these
> options in your sshd_config:
>
> ChRootUsers x,y,z
> ChRootGroups x,y,z
>
> This won't in itself restrict the *number* of processes a student could
> invoke, obviously.
>
> But you could also try out the following, to limit the commands a
> student could run in their home directory, for instance.
>
> On page 302 of the ORA SSH book, section 8.2.4.3, there's a script to
> provide a limited command list, without access to a shell.
In addition to something that George posted, I might recommend
systrace(4) or restricted shell (rksh etc). I've used both methods
in a large ISP's "bastion/management" host enviroment. Both worked
well, but I must admit that once systrace(4) was ironed out, I moved
everything to systrace(4) policies.
Okan
> It's example 8.1 and the script is like this. . .I haven't tested it
> live, but you probably should first. . .
>
>
> <script>
>
> $!/bin/sh
> /bin/echo "Welcome!
> Your choices are:
>
> 1 See today's date
> 2 See who's logged in
> 3 See current processes
> q Quit"
>
> /bin/echo "Your choice: \c"
> read ans
> while [ "$ans" != "q" ]
> do
> case "$ans" in
>
> 1)
> /bin/date
> ;;
> 2)
> /bin/who
> ;;
> 3)
> /usr/ucb/w
> ;;
> q)
> /bin/echo "Goodbye"
> exit 0
> ;;
> *)
> /bin/echo "Invalid choice '$ans': please try again"
> ;;
> esac
> /bin/echo "Your choice: \c"
> read ans
> done
> exit 0
>
> </script>
>
> Phew. . .
>
> g
>
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
--
Okan Demirmen <okan at demirmen.com>
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB3670934
PGP-Fingerprint: 226D B4AE 78A9 7F4E CD2B 1B44 C281 AF18 B367 0934
More information about the talk
mailing list