Telnet to SSH migration
Bill Ricker
bill.n1vux at gmail.com
Sat Oct 21 13:05:54 EDT 2006
> I am deprecating the use of telnet for ssh.
> However, I need to limit the capabilities provided by ssh down
If you set their "shell" in /etc/passwd, as with telnet, it should
work the same.
I'm told RSH and Chroot can make a very effective jail for restricted users.
> no scp, no sftp,
They don't have FTP today? When stamping out insecure telnet, it's
time to stamp out insecure FTP with SCP too. (There is also an
scp-only variant for FTP-replacement incoming-file accounts, to
prevent SCP users from doing SSH remote commands or SSH shell. But I
rather like SCP users to be able to do an "ssh ls")
If the default PATH doesn't have the scp/sftp binaries, I think those
are blocked too.
If the user can only run a few commands, I wonder what good
port-forwarding would do the users, or what harm it would do. They
can't run something that connects to the port they're back-forwarding.
If they can connect to port 22, they probably can connect to port 25
too, so forward forwarding buys them little. -- unless the system is
in a fire-wall protected location, or there are some ports that react
differently to connects from localhost.
If you really want your users in a jail, why give them unix ids at
all? A web portal with their 5 commands on it keeps them in an even
simpler jail.
--
Bill
n1vux at arrl.net bill.n1vux at gmail.com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Discuss
mailing list