Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 25 Apr 2008 16:42:19 -0500
From:      Valeriu Mutu <unix@mutu.us>
To:        freebsd-questions@freebsd.org
Subject:   Re: restrict ssh access
Message-ID:  <20080425214219.GA88106@devil.mutu.us>
In-Reply-To: <alpine.BSF.1.10.0804251943250.62384@duane.dbq.yournetplus.com>
References:  <1209131161.14700.4.camel@puk> <BCBF8C55-3A54-4DA7-AC76-32A217EFB4FB@mac.com> <alpine.BSF.1.10.0804251635570.60886@duane.dbq.yournetplus.com> <472410BF12BC19695178209A@utd65257.utdallas.edu> <alpine.BSF.1.10.0804251943250.62384@duane.dbq.yournetplus.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 25, 2008 at 07:50:47PM +0000, D Hill wrote:
> On Fri, 25 Apr 2008 at 14:30 -0500, pauls@utdallas.edu confabulated:
> 
>> --On Friday, April 25, 2008 16:41:07 +0000 D Hill <d.hill@yournetplus.com> 
>> wrote:
>> 
>>> On Fri, 25 Apr 2008 at 09:30 -0700, cswiger@mac.com confabulated:
>>> 
>>>> On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote:
>>>>> I've got a server running a ssh server, I want to enable ssh for the use
>>>>> of sftp by a group of users, and limit their ssh access to just allow
>>>>> running passwd so they can change their default password. What whould be
>>>>> the best/easiest way to acomplish this, or something similiar?
>>>> 
>>>> I wonder what would happen if you gave them a shell of 
>>>> "/usr/bin/passwd"...?
>>>> :-)
>>> 
>>> That should work. I just tested. When an ssh connection is made, it 
>>> executes
>>> passwd. As soon as the password is changed, the ssh connection was closed:
>>> 
>>>    %ssh -l asdf 192.168.1.50
>>>    Password:
>>>    ...
>>>    Changing local password for asdf
>>>    Old Password:
>>>    New Password:
>>>    Retype New Password:
>>>    Connection to 192.168.1.50 closed.
>> 
>> Should make for some fascinating experiences with sftp.  :-)
> 
> I believe the connecton would just close. Somehow I missed that sftp part :-(

Indeed, the connection closes. It looks like the SSH server relies on a valid login shell program to run the SFTP server. 

Anyway, may I suggest using ACL?

You'll have to add the 'acls' option in fstab and do a reboot.

After that, put those users in a group and deny that group all the permissions (r,w,x) on all executables on the system.
Set r-x permissions on their _login shell_ (i.e /bin/csh, /bin/sh etc.) and /usr/bin/passwd executable.

It worked for me.

> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

-- 
Valeriu Mutu



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080425214219.GA88106>