Re: restrict ssh access
On Fri, Apr 25, 2008 at 07:50:47PM +, D Hill wrote: > On Fri, 25 Apr 2008 at 14:30 -0500, [EMAIL PROTECTED] confabulated: > >> --On Friday, April 25, 2008 16:41:07 + D Hill <[EMAIL PROTECTED]> >> wrote: >> >>> On Fri, 25 Apr 2008 at 09:30 -0700, [EMAIL PROTECTED] confabulated: >>> On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote: > I've got a server running a ssh server, I want to enable ssh for the use > of sftp by a group of users, and limit their ssh access to just allow > running passwd so they can change their default password. What whould be > the best/easiest way to acomplish this, or something similiar? I wonder what would happen if you gave them a shell of "/usr/bin/passwd"...? :-) >>> >>> That should work. I just tested. When an ssh connection is made, it >>> executes >>> passwd. As soon as the password is changed, the ssh connection was closed: >>> >>>%ssh -l asdf 192.168.1.50 >>>Password: >>>... >>>Changing local password for asdf >>>Old Password: >>>New Password: >>>Retype New Password: >>>Connection to 192.168.1.50 closed. >> >> Should make for some fascinating experiences with sftp. :-) > > I believe the connecton would just close. Somehow I missed that sftp part :-( Indeed, the connection closes. It looks like the SSH server relies on a valid login shell program to run the SFTP server. Anyway, may I suggest using ACL? You'll have to add the 'acls' option in fstab and do a reboot. After that, put those users in a group and deny that group all the permissions (r,w,x) on all executables on the system. Set r-x permissions on their _login shell_ (i.e /bin/csh, /bin/sh etc.) and /usr/bin/passwd executable. It worked for me. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Valeriu Mutu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: restrict ssh access
On Fri, Apr 25, 2008 at 07:50:47PM +, D Hill wrote: > On Fri, 25 Apr 2008 at 14:30 -0500, [EMAIL PROTECTED] confabulated: > >> --On Friday, April 25, 2008 16:41:07 + D Hill <[EMAIL PROTECTED]> >> wrote: >> >>> On Fri, 25 Apr 2008 at 09:30 -0700, [EMAIL PROTECTED] confabulated: >>> On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote: > I've got a server running a ssh server, I want to enable ssh for the use > of sftp by a group of users, and limit their ssh access to just allow > running passwd so they can change their default password. What whould be > the best/easiest way to acomplish this, or something similiar? I wonder what would happen if you gave them a shell of "/usr/bin/passwd"...? :-) >>> >>> That should work. I just tested. When an ssh connection is made, it >>> executes >>> passwd. As soon as the password is changed, the ssh connection was closed: >>> >>>%ssh -l asdf 192.168.1.50 >>>Password: >>>... >>>Changing local password for asdf >>>Old Password: >>>New Password: >>>Retype New Password: >>>Connection to 192.168.1.50 closed. >> >> Should make for some fascinating experiences with sftp. :-) > > I believe the connecton would just close. Somehow I missed that sftp part :-( One more thing: you'll have to set r-x permissions for /usr/libexec/sftp-server as well. To summarize, you'll have to set r-x permissions for the user's shell, passwd utility and sftp-server. All other executables can be denied access... > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Valeriu Mutu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: restrict ssh access
On Fri, 25 Apr 2008 at 14:30 -0500, [EMAIL PROTECTED] confabulated: --On Friday, April 25, 2008 16:41:07 + D Hill <[EMAIL PROTECTED]> wrote: On Fri, 25 Apr 2008 at 09:30 -0700, [EMAIL PROTECTED] confabulated: On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote: I've got a server running a ssh server, I want to enable ssh for the use of sftp by a group of users, and limit their ssh access to just allow running passwd so they can change their default password. What whould be the best/easiest way to acomplish this, or something similiar? I wonder what would happen if you gave them a shell of "/usr/bin/passwd"...? :-) That should work. I just tested. When an ssh connection is made, it executes passwd. As soon as the password is changed, the ssh connection was closed: %ssh -l asdf 192.168.1.50 Password: ... Changing local password for asdf Old Password: New Password: Retype New Password: Connection to 192.168.1.50 closed. Should make for some fascinating experiences with sftp. :-) I believe the connecton would just close. Somehow I missed that sftp part :-( ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: restrict ssh access
--On Friday, April 25, 2008 16:41:07 + D Hill <[EMAIL PROTECTED]> wrote: On Fri, 25 Apr 2008 at 09:30 -0700, [EMAIL PROTECTED] confabulated: On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote: I've got a server running a ssh server, I want to enable ssh for the use of sftp by a group of users, and limit their ssh access to just allow running passwd so they can change their default password. What whould be the best/easiest way to acomplish this, or something similiar? I wonder what would happen if you gave them a shell of "/usr/bin/passwd"...? :-) That should work. I just tested. When an ssh connection is made, it executes passwd. As soon as the password is changed, the ssh connection was closed: %ssh -l asdf 192.168.1.50 Password: ... Changing local password for asdf Old Password: New Password: Retype New Password: Connection to 192.168.1.50 closed. Should make for some fascinating experiences with sftp. :-) -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: restrict ssh access
On Fri, 25 Apr 2008 at 09:30 -0700, [EMAIL PROTECTED] confabulated: On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote: I've got a server running a ssh server, I want to enable ssh for the use of sftp by a group of users, and limit their ssh access to just allow running passwd so they can change their default password. What whould be the best/easiest way to acomplish this, or something similiar? I wonder what would happen if you gave them a shell of "/usr/bin/passwd"...? :-) That should work. I just tested. When an ssh connection is made, it executes passwd. As soon as the password is changed, the ssh connection was closed: %ssh -l asdf 192.168.1.50 Password: ... Changing local password for asdf Old Password: New Password: Retype New Password: Connection to 192.168.1.50 closed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: restrict ssh access
On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote: I've got a server running a ssh server, I want to enable ssh for the use of sftp by a group of users, and limit their ssh access to just allow running passwd so they can change their default password. What whould be the best/easiest way to acomplish this, or something similiar? I wonder what would happen if you gave them a shell of "/usr/bin/ passwd"...? :-) -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
restrict ssh access
Hello, I've got a server running a ssh server, I want to enable ssh for the use of sftp by a group of users, and limit their ssh access to just allow running passwd so they can change their default password. What whould be the best/easiest way to acomplish this, or something similiar? Greetings, Geert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"