[nycbug-talk] restricted login shell and ssh

Jesse Callaway bonsaime at gmail.com
Wed Feb 13 14:21:04 EST 2008 

nice. you ever use the Match blocks for anything useful?

-jesse

On Wed, Feb 13, 2008 at 11:00 AM, George Georgalis <george at galis.org> wrote:
>
>  yeah, like so...
>
>  #AuthorizedKeysFile     .ssh/authorized_keys
>  AuthorizedKeysFile      /etc/ssh/auth/%u.pub
>
>  in /etc/ssh/sshd_config
>
>  // George
>
>
>
>
>
>
>
>  On Tue, Feb 12, 2008 at 07:20:19PM -0500, Jesse Callaway wrote:
>  >whoa, wait... you put user's authorized keys files in /etc/ssh ?
>  >That's great! I only read about the ~/.ssh location for this file. ('m
>  >just going to follow the t/p to keep this consistent)
>  >
>  >-jesse
>  >
>  >On Mon, Feb 11, 2008 at 1:37 PM, George Georgalis <george at galis.org> wrote:
>  >> I thought the standard way was to modify the line
>  >>  used in authorized_keys? eg you can specify "only
>  >>  allow the rsync command" on the same line you put the
>  >>  users public key.... note I configure sshd to use
>  >>  /etc/ssh/auth/${USER}.pub for auth keys, since users
>  >>  can't normally manage that file anyway... (especially
>  >>  with pam disabled for ssh) the technique I describe is a
>  >>  free chapter from the O'Reiley openssh book.
>  >>
>  >>  the link seems mostly for kererbos based systems
>  >>
>  >>  // George
>  >>
>  >>
>  >>
>  >>  On Mon, Feb 11, 2008 at 11:31:47AM -0500, Jesse Callaway wrote:
>  >>  >I popped my hand up and made a statement in the OpenSSH meeting
>  >>  >recently and made a completely false assertion. Tested it this
>  >>  >morning. I said that you could still pass commands to the shell (which
>  >>  >shell I was thinking of, I'm not sure...) if a user has a restricted
>  >>  >login, such as rsynconly. Hopefully nobody believed me. Anyway, using
>  >>  >the script referenced below I made a user with a restricted login. I'm
>  >>  >sure false or nologin would have proved it to myself more readily, but
>  >>  >I like to take the long way to figure out I'm wrong.
>  >>  >
>  >>  >http://www.oreillynet.com/linux/blog/2006/05/restricting_rsync_over_ssh.html
>  >>  >
>  >>  >So I ran
>  >>  >ssh sinko at server.com "ls -R"
>  >>  >
>  >>  >The ls -R command was passed as an argument to the rsynonly shell, and
>  >>  >lo! I was not able to issue the command to "the shell" Duh.
>  >>  >
>  >>  >To beat it into my skull I ran
>  >>  >sftp sinko at server.com
>  >>  >
>  >>  >Here I got the message "Received message too long <some number>"
>  >>  >
>  >>  >Short story is that I was assuming that sshd will pass commands on to
>  >>  >/bin/sh no matter what. Well, it doesn't. It passes commands on to the
>  >>  >shell specified in your login config.
>  >>  >
>  >>  >Here is a nice link explaining a little bit about how the subsystems
>  >>  >(scp, sftp) are called.
>  >>  >
>  >>  >http://www.snailbook.com/faq/sftp-corruption.auto.html
>  >>  >
>  >>  >-jesse
>  >>  >_______________________________________________
>  >>  >talk mailing list
>  >>  >talk at lists.nycbug.org
>  >>  >http://lists.nycbug.org/mailman/listinfo/talk
>  >>  >
>  >>
>  >>  --
>  >>  George Georgalis, information system scientist <IXOYE><
>  >>  _______________________________________________
>  >>  talk mailing list
>  >>  talk at lists.nycbug.org
>  >>  http://lists.nycbug.org/mailman/listinfo/talk
>  >>
>  >_______________________________________________
>  >talk mailing list
>  >talk at lists.nycbug.org
>  >http://lists.nycbug.org/mailman/listinfo/talk
>  >
>
>  --
>  George Georgalis, information system scientist <IXOYE><
>  _______________________________________________
>  talk mailing list
>  talk at lists.nycbug.org
>  http://lists.nycbug.org/mailman/listinfo/talk
>

More information about the talk mailing list