On Wed, 16 Aug 2000, mike ledoux wrote:
> Of course, the big downside is that all of your mail users now need to
> have shell access to the pop/imap server so they can establish the ssh
> tunnel.
I think you can plug that hole. Simply disable the login shell (I use a
short shell script called /bin/noshell, others simply use /bin/true or
/bin/false). SSH uses the shell to start any command you pass it, so this
effectively disables any kind of command execution. Then use the client in
port-forwarding-only mode ("-N" for the OpenSSH client). This does require
SSH protocol version 2, but other then that, should work. Unless I missed
something?
If that is not sufficient, we've got the source. It should be trivial to
add an option to sshd to prevent command execution at all.
Possibly of more concern is that this allows an authorized client to
originate a connection from any unprivileged port on the mail server, as if
they were logged into the mail server. If you've got host trust relationships
in use, this could be a problem. (But then, I generally think host trust
relationships are a bad idea in any event.)
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
