Hosting Provided By

Re: SFTP

From: Ranjeet Shetye <ranjeet.shetye2(at)zultys.com>
Date: Tue Aug 05 2003 - 13:46:37 EDT

On 2003.08.04 19:36, Derek Martin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, Aug 04, 2003 at 12:53:40PM +0500, Ed J. Aivazian wrote:
> > For the users who should use sftp only, set an `empty' shell (eg.
> > #!/bib/sh \n echo "Good bye...")
> > don't forget to put the script in /etc/shells
>
> This will NOT work.
>
> $ sudo sh -c "echo -e '#!/bin/sh\necho goodby\nexit 0'
> >/usr/local/bin/badshell"
> $ sudo chmod +x /usr/local/bin/badshell
> $ sudo echo /usr/local/bin/badshell >> /etc/shells
> $ sudo chsh rudy
> Changing shell for rudy.
> New shell [/usr/local/bin/rssh]: /usr/local/bin/badshell
> Shell changed.
> $ sftp rudy@localhost
> Connecting to localhost...
> rudy@localhost's password:
> Received message too long 1198485348
> $
>
> The problem here is that when you sftp to a host, sshd starts a copy
> of the user's shell, with the command-line options appropriate for
> running sftp-server, the server-side portion of sftp. Essentially:
>
> /path/to/shell -c /path/to/sftp-server
>
> Your version of a shell will not allow this to work.
>
> - --
> Derek D. Martin
> http://www.pizzashack.org/
> GPG Key ID: 0xDFBEAD02
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQE/LxgXdjdlQoHP510RAhNNAKChBNjoULDcFgLvmt62v8zAvnGeRgCfWBLD
> oHVhib9tntuXFtV9bDJMqaY=
> =okKo
> -----END PGP SIGNATURE-----

hi,

what about just using a simple "/bin/false" for the login shell for user ids that I dont want to log in but which I setup for sFTP ? that's what I've setup on my workstation at work (which is anyways protected by a corporate firewall - so I wouldn't ever see any cracking attempts). Would appreciate if anyone can show me that using "/bin/ false" is NOT a secure way to shut off logins.

thanks,

-- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
--
The views, opinions, and judgements expressed in this message are 
solely those of the author. The message contents have not been reviewed 
or approved by Zultys.

Received on Wed Aug 6 12:29:24 2003

This message: [ Message body ]
Next message: Spiewak, Jakub: "SSHD error"
Previous message: Mattias Larsson: "ssh-askpass"
In reply to:(deleted message) Derek Martin: "Re: SFTP"
In reply to Robert.Baskerville(at)Vistorm.com: "RE: How to forbid empty passphrases?"
Next in thread: Derek Martin: "Re: SFTP"
Reply: Derek Martin: "Re: SFTP"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:03:01 EDT