First thing that should be noticed is one should upgrade to a newer
version of OpenSSH. 2.3.0 is pretty old.
On Sun, 7 Oct 2001, Hugh Nimmo-Smith wrote:
> One way is to edit the /etc/passwd file so that the shell it tries to
> use is something like "/bin/false" or "/bin/nothing"
>
> eg.
>
> sshtunnel:x:12941:12941::/home/sshtunnel:/bin/nothing
>
> so that when the user logs in no shell is generated, in the former case,
> or it does nothing (the thread blocks I believe) in the latter case.
>
> I can probably email you the /bin/nothing file as I don't think it's a
> standard file...
>
> I don't know if this prevents scp access however? - let me know if it
> does...
>
Yes it does. Since it does /bin/usershell -c scp [..]. And since
/bin/nothing (which is not standard =) or /bin/false does not support
-c construct scp would break.
But subsystems (sftp in newer OpenSSH) do not spawn the user's shell
therefor it could outskirt this. (Never tried it.. When I setup sftp only
accounts I do things differently).
> > The user fwd is on an ssh1 client and can only use password
> > authentication (I cannot control that user's access method).
> > I have restricted access to just these two users and enabled
> > forwarding and that works quite well, but I'm stuck on how to
> > limit the access for fwd. Do I need to write a custom shell
> > for that user? I can do that, but I don't know what command to allow.
>
> I don't think the custom shell (like /bin/nothing) needs to allow any
> commands as the forwarding is done independently of the shell...
>
> If you want to cron the ssh tunnels then I would recommend using rsa
> keys with no pass-phrase set.
>
Port forward is on or off in OpenSSH (IIRC). You can not restrict port
forward based on userid/groupid. Just by what ports can be forwarded.
Unsure how SSH Corp handles such cases...
- Ben
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
