[nycbug-talk] also on SSH

[G. Rosamond]

For OpenSSH, if you solve the hosts.allow issue, you should be fine 
with the login.conf parameters.

But there's another OpenSSH option that may be useful for your 
purposes, restricting directory access with chroot with one of these 
options in your sshd_config:

ChRootUsers x,y,z
ChRootGroups x,y,z

This won't in itself restrict the *number* of processes a student could 
invoke, obviously.

But you could also try out the following, to limit the commands a 
student could run in their home directory, for instance.

On page 302 of the ORA SSH book, section 8.2.4.3, there's a script to 
provide a limited command list, without access to a shell.

It's example 8.1 and the script is like this. . .I haven't tested it 
live, but you probably should first. . .


<script>

$!/bin/sh
/bin/echo "Welcome!
Your choices are:

1	See today's date
2	See who's logged in
3	See current processes
q	Quit"

/bin/echo "Your choice: \c"
read ans
while [ "$ans" != "q" ]
do
	case "$ans" in

1)
	/bin/date
	;;
2)
	/bin/who
	;;
3)
	/usr/ucb/w
	;;
q)
	/bin/echo "Goodbye"
	exit 0
	;;
*)
	/bin/echo "Invalid choice '$ans': please try again"
	;;
esac
/bin/echo "Your choice: \c"
read ans
done
exit 0

</script>

Phew. . .

g