[ale] Best way to disable command-line access?
Jim Popovitch
jimpop at yahoo.com
Thu Oct 5 16:23:22 EDT 2006
On Thu, 2006-10-05 at 16:12 -0400, Jerry Yu wrote:
> on top of the authorized_keys set-up, of course, one needs to make
> sure Public Key is the only auth possible for this account.
> if sftp-only is acceptable, "usermod
> -s /usr/libexec/openssh/sftp-server singledOutUser"
Not at all. Simply doing what I wrote effectively limits the user
account to whatever is specified by "command=". The OP was quite clear
in their requirements for restricting use of ssh credentials.
Of course if they are allowing their users to use ftp and telnet then
they have other concerns than simply limiting what program they can
execute. ;-)
-Jim P.
>
> On 10/5/06, Jim Popovitch <jimpop at yahoo.com> wrote:
> On Thu, 2006-10-05 at 13:42 -0400, Allan Metts wrote:
> > Hi everyone,
> >
> > What's the best way to preserve the ability to transfer
> files with scp, but PREVENT someone from using those same ssh
> credentials to get to a command line? This is for a single
> user only -- other users of the same server should be able to
> log in as usual.
> >
> > I tried usermod -s <a_script_that_does_nothing> <user>, but
> this seems to prevent scp file transfers as well.
> >
> > Is there a user-specific ssh config setting that does
> this? Any other ideas?
> >
>
> Setup their authorized key in ~/.ssh/authorized_keys as
> follows: (all on
> one big long line)
>
> no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,
> command="/usr/lib/sftp-server" ssh-dss AAAAB3N.......
>
> hth,
>
> -Jim P.
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list