On 2017-04-24, at 16:17, Pew, Curtis G wrote:
>>
>> sftp depends on ssh. But ... is it possible to configure ssh so only the
>> sftp
>> agent, not a shell, is allowed as an ssh agent on the server?
>
> Yes, at least on Linux. We have a server where most of the accounts are
> specified with ‘sftp-server’ as the login shell, so authorized users can drop
> off or pick up files from those accounts, but cannot run any code.
>
> I haven’t tried this on z/OS.
>
From "man ssh" (on Linux):
NAME
ssh — OpenSSH SSH client (remote login program)
SYNOPSIS
ssh [-options] [user@]hostname [command]
DESCRIPTION
...
If command is specified, it is executed on the remote host instead of a
login shell.
Note "instead of", providing a circumvention.
And, on z/OS, the BPXWUNIX I mentioned earlier.
Just don't let "most of the accounts" access/alter critical resources.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
