Date: Fri, 25 Apr 2008 16:42:19 -0500 From: Valeriu Mutu <unix@mutu.us> To: freebsd-questions@freebsd.org Subject: Re: restrict ssh access Message-ID: <20080425214219.GA88106@devil.mutu.us> In-Reply-To: <alpine.BSF.1.10.0804251943250.62384@duane.dbq.yournetplus.com> References: <1209131161.14700.4.camel@puk> <BCBF8C55-3A54-4DA7-AC76-32A217EFB4FB@mac.com> <alpine.BSF.1.10.0804251635570.60886@duane.dbq.yournetplus.com> <472410BF12BC19695178209A@utd65257.utdallas.edu> <alpine.BSF.1.10.0804251943250.62384@duane.dbq.yournetplus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 25, 2008 at 07:50:47PM +0000, D Hill wrote: > On Fri, 25 Apr 2008 at 14:30 -0500, pauls@utdallas.edu confabulated: > >> --On Friday, April 25, 2008 16:41:07 +0000 D Hill <d.hill@yournetplus.com> >> wrote: >> >>> On Fri, 25 Apr 2008 at 09:30 -0700, cswiger@mac.com confabulated: >>> >>>> On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote: >>>>> I've got a server running a ssh server, I want to enable ssh for the use >>>>> of sftp by a group of users, and limit their ssh access to just allow >>>>> running passwd so they can change their default password. What whould be >>>>> the best/easiest way to acomplish this, or something similiar? >>>> >>>> I wonder what would happen if you gave them a shell of >>>> "/usr/bin/passwd"...? >>>> :-) >>> >>> That should work. I just tested. When an ssh connection is made, it >>> executes >>> passwd. As soon as the password is changed, the ssh connection was closed: >>> >>> %ssh -l asdf 192.168.1.50 >>> Password: >>> ... >>> Changing local password for asdf >>> Old Password: >>> New Password: >>> Retype New Password: >>> Connection to 192.168.1.50 closed. >> >> Should make for some fascinating experiences with sftp. :-) > > I believe the connecton would just close. Somehow I missed that sftp part :-( Indeed, the connection closes. It looks like the SSH server relies on a valid login shell program to run the SFTP server. Anyway, may I suggest using ACL? You'll have to add the 'acls' option in fstab and do a reboot. After that, put those users in a group and deny that group all the permissions (r,w,x) on all executables on the system. Set r-x permissions on their _login shell_ (i.e /bin/csh, /bin/sh etc.) and /usr/bin/passwd executable. It worked for me. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Valeriu Mutu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080425214219.GA88106>