From owner-freebsd-questions@FreeBSD.ORG Fri Apr 25 21:57:14 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1C8E106564A for ; Fri, 25 Apr 2008 21:57:14 +0000 (UTC) (envelope-from unix@devil.mutu.us) Received: from devil.mutu.us (devil.mutu.us [206.229.45.53]) by mx1.freebsd.org (Postfix) with ESMTP id 8AD878FC26 for ; Fri, 25 Apr 2008 21:57:14 +0000 (UTC) (envelope-from unix@devil.mutu.us) Received: from devil.mutu.us (localhost [127.0.0.1]) by devil.mutu.us (8.13.8/8.13.8) with ESMTP id m3PLgO5F088137 for ; Fri, 25 Apr 2008 16:42:24 -0500 (CDT) (envelope-from unix@devil.mutu.us) Received: (from unix@localhost) by devil.mutu.us (8.13.8/8.13.8/Submit) id m3PLgJK9088132 for freebsd-questions@freebsd.org; Fri, 25 Apr 2008 16:42:19 -0500 (CDT) (envelope-from unix) Date: Fri, 25 Apr 2008 16:42:19 -0500 From: Valeriu Mutu To: freebsd-questions@freebsd.org Message-ID: <20080425214219.GA88106@devil.mutu.us> Mail-Followup-To: freebsd-questions@freebsd.org References: <1209131161.14700.4.camel@puk> <472410BF12BC19695178209A@utd65257.utdallas.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: Mutu User-Agent: Mutt/1.5.17 (2007-11-01) Subject: Re: restrict ssh access X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2008 21:57:14 -0000 On Fri, Apr 25, 2008 at 07:50:47PM +0000, D Hill wrote: > On Fri, 25 Apr 2008 at 14:30 -0500, pauls@utdallas.edu confabulated: > >> --On Friday, April 25, 2008 16:41:07 +0000 D Hill >> wrote: >> >>> On Fri, 25 Apr 2008 at 09:30 -0700, cswiger@mac.com confabulated: >>> >>>> On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote: >>>>> I've got a server running a ssh server, I want to enable ssh for the use >>>>> of sftp by a group of users, and limit their ssh access to just allow >>>>> running passwd so they can change their default password. What whould be >>>>> the best/easiest way to acomplish this, or something similiar? >>>> >>>> I wonder what would happen if you gave them a shell of >>>> "/usr/bin/passwd"...? >>>> :-) >>> >>> That should work. I just tested. When an ssh connection is made, it >>> executes >>> passwd. As soon as the password is changed, the ssh connection was closed: >>> >>> %ssh -l asdf 192.168.1.50 >>> Password: >>> ... >>> Changing local password for asdf >>> Old Password: >>> New Password: >>> Retype New Password: >>> Connection to 192.168.1.50 closed. >> >> Should make for some fascinating experiences with sftp. :-) > > I believe the connecton would just close. Somehow I missed that sftp part :-( Indeed, the connection closes. It looks like the SSH server relies on a valid login shell program to run the SFTP server. Anyway, may I suggest using ACL? You'll have to add the 'acls' option in fstab and do a reboot. After that, put those users in a group and deny that group all the permissions (r,w,x) on all executables on the system. Set r-x permissions on their _login shell_ (i.e /bin/csh, /bin/sh etc.) and /usr/bin/passwd executable. It worked for me. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Valeriu Mutu