Re: SFTP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Aug 05, 2003 at 10:46:37AM -0700, Ranjeet Shetye wrote: [My earlier comments snipped]
> >The problem here is that when you sftp to a host, sshd starts a copy
[more snippage]
> hi,
>
> what about just using a simple "/bin/false" for the login shell for

This will work fine if you want to completely disable the account, but it will NOT work if you want to allow sftp, for exactly the same reasons as stated above. For sftp/scp to work, the user's shell MUST allow the execution of commands, and MUST accept the -c option to specify what command to run.

If you need this, you'll want to use something like rssh:

  http://www.pizzashack.org/rssh/

rssh mimics the functionality of a normal shell, but only allows the execution of scp and/or sftp-server, depending on how you configure it. Any other method besides that used by rssh will simply not work. Another program which works (which does basically the same thing as rssh) is scponly.

• -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

iD8DBQE/MThqdjdlQoHP510RAoFkAJ9lGT3ZhLFNtfVYMLMx9YdXGLv1TQCfeo8i ob2QCBWrWNyCSc67NziQWmg=
=u6Kg
-----END PGP SIGNATURE----- Received on Wed Aug 6 23:41:51 2003