[nycbug-talk] restricted login shell and ssh

George Georgalis george at galis.org
Wed Feb 13 11:00:57 EST 2008


yeah, like so...

#AuthorizedKeysFile     .ssh/authorized_keys
AuthorizedKeysFile      /etc/ssh/auth/%u.pub

in /etc/ssh/sshd_config

// George





On Tue, Feb 12, 2008 at 07:20:19PM -0500, Jesse Callaway wrote:
>whoa, wait... you put user's authorized keys files in /etc/ssh ?
>That's great! I only read about the ~/.ssh location for this file. ('m
>just going to follow the t/p to keep this consistent)
>
>-jesse
>
>On Mon, Feb 11, 2008 at 1:37 PM, George Georgalis <george at galis.org> wrote:
>> I thought the standard way was to modify the line
>>  used in authorized_keys? eg you can specify "only
>>  allow the rsync command" on the same line you put the
>>  users public key.... note I configure sshd to use
>>  /etc/ssh/auth/${USER}.pub for auth keys, since users
>>  can't normally manage that file anyway... (especially
>>  with pam disabled for ssh) the technique I describe is a
>>  free chapter from the O'Reiley openssh book.
>>
>>  the link seems mostly for kererbos based systems
>>
>>  // George
>>
>>
>>
>>  On Mon, Feb 11, 2008 at 11:31:47AM -0500, Jesse Callaway wrote:
>>  >I popped my hand up and made a statement in the OpenSSH meeting
>>  >recently and made a completely false assertion. Tested it this
>>  >morning. I said that you could still pass commands to the shell (which
>>  >shell I was thinking of, I'm not sure...) if a user has a restricted
>>  >login, such as rsynconly. Hopefully nobody believed me. Anyway, using
>>  >the script referenced below I made a user with a restricted login. I'm
>>  >sure false or nologin would have proved it to myself more readily, but
>>  >I like to take the long way to figure out I'm wrong.
>>  >
>>  >http://www.oreillynet.com/linux/blog/2006/05/restricting_rsync_over_ssh.html
>>  >
>>  >So I ran
>>  >ssh sinko at server.com "ls -R"
>>  >
>>  >The ls -R command was passed as an argument to the rsynonly shell, and
>>  >lo! I was not able to issue the command to "the shell" Duh.
>>  >
>>  >To beat it into my skull I ran
>>  >sftp sinko at server.com
>>  >
>>  >Here I got the message "Received message too long <some number>"
>>  >
>>  >Short story is that I was assuming that sshd will pass commands on to
>>  >/bin/sh no matter what. Well, it doesn't. It passes commands on to the
>>  >shell specified in your login config.
>>  >
>>  >Here is a nice link explaining a little bit about how the subsystems
>>  >(scp, sftp) are called.
>>  >
>>  >http://www.snailbook.com/faq/sftp-corruption.auto.html
>>  >
>>  >-jesse
>>  >_______________________________________________
>>  >talk mailing list
>>  >talk at lists.nycbug.org
>>  >http://lists.nycbug.org/mailman/listinfo/talk
>>  >
>>
>>  --
>>  George Georgalis, information system scientist <IXOYE><
>>  _______________________________________________
>>  talk mailing list
>>  talk at lists.nycbug.org
>>  http://lists.nycbug.org/mailman/listinfo/talk
>>
>_______________________________________________
>talk mailing list
>talk at lists.nycbug.org
>http://lists.nycbug.org/mailman/listinfo/talk
>

-- 
George Georgalis, information system scientist <IXOYE><



More information about the talk mailing list