Hi, DEFFONTAINES Vincent wrote: > > 1. Remove the users access to the ssh program > (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for > allowed outgoing ssh users). > 2. Mount /home, /tmp and any other place users might have write access on > with the "noexec" switch, so they can only use binaries installed (and > allowed to them) on the system.
no: debian:~# /usr/local/bin/ssh -V ssh: SSH Secure Shell 3.0.1 (non-commercial version) on i586-pc-linux-gnu debian:~# cp /usr/local/bin/ssh /tmp/ssh debian:~# chmod -x /tmp/ssh debian:~# /tmp/ssh -V su: /tmp/ssh: Permission denied debian:~# /lib/ld-linux.so.2 /tmp/ssh -V ssh: SSH Secure Shell 3.0.1 (non-commercial version) on i586-pc-linux-gnu You can chroot the user and give him only some specific binarys, so that the user is not anymore able to execute his own code. Then he can't ssh anymore. The other way is via network. You can deny network usage for the user, for all ports or only for specific ports. Is there any packet filter, which can block only outgoing ssh-sessions? Regards, Ralf Dreibrodt -- Mesos Telefon 49 221 4855798-1 Eupener Str. 150 Fax 49 221 4855798-9 50933 Koeln Mail [EMAIL PROTECTED]
