Hot Diggety! Edward Ned Harvey was rumored to have written: > > I never heard of that but it sounds cool. I would comment though - Make > sure to shut off your sftp subsystem, and disable port forwarding. And I > wonder if there are any other special features of sshd you would need to > disable ... These things don't depend on the login shell. IIRC, I think you > can actually set your login shell to /bin/false, and still login to sftp. > And even if you set the password field to **LOCKED**, you can still use > keyfiles (if you previously generated them).
That's potentially a risk, depending on platform, admin knowledge and cluefulness, and tools used. Say an employee is forced to leave the org for whatever reason, account mgmt tool sets the password field to '**LOCKED**', but an angry now former employee then uses the existing passphrase/key to get in, and launches all sorts of interesting destruction or compromises. Or in a smaller setup, the keys gets overlooked... It happens... A safer approach would be to use one of the sftp-only login shells (F/OSS download -- compile, drop in place, change shell, done) that does some additional validation checks and watches out for fun corner cases. -Dan _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
