From owner-freebsd-questions@FreeBSD.ORG  Fri Apr 25 19:30:33 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1CE1F1065677
	for <freebsd-questions@freebsd.org>;
	Fri, 25 Apr 2008 19:30:33 +0000 (UTC)
	(envelope-from pauls@utdallas.edu)
Received: from smtp3.utdallas.edu (smtp3.utdallas.edu [129.110.10.49])
	by mx1.freebsd.org (Postfix) with ESMTP id EC88A8FC1B
	for <freebsd-questions@freebsd.org>;
	Fri, 25 Apr 2008 19:30:32 +0000 (UTC)
	(envelope-from pauls@utdallas.edu)
Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp3.utdallas.edu (Postfix) with ESMTP id 6700465514
	for <freebsd-questions@freebsd.org>;
	Fri, 25 Apr 2008 14:30:32 -0500 (CDT)
Date: Fri, 25 Apr 2008 14:30:32 -0500
From: Paul Schmehl <pauls@utdallas.edu>
To: freebsd-questions@freebsd.org
Message-ID: <472410BF12BC19695178209A@utd65257.utdallas.edu>
In-Reply-To: <alpine.BSF.1.10.0804251635570.60886@duane.dbq.yournetplus.com>
References: <1209131161.14700.4.camel@puk>
	<BCBF8C55-3A54-4DA7-AC76-32A217EFB4FB@mac.com>
	<alpine.BSF.1.10.0804251635570.60886@duane.dbq.yournetplus.com>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Re: restrict ssh access
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2008 19:30:33 -0000

--On Friday, April 25, 2008 16:41:07 +0000 D Hill <d.hill@yournetplus.com> 
wrote:

> On Fri, 25 Apr 2008 at 09:30 -0700, cswiger@mac.com confabulated:
>
>> On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote:
>>> I've got a server running a ssh server, I want to enable ssh for the use
>>> of sftp by a group of users, and limit their ssh access to just allow
>>> running passwd so they can change their default password. What whould be
>>> the best/easiest way to acomplish this, or something similiar?
>>
>> I wonder what would happen if you gave them a shell of "/usr/bin/passwd"...?
>> :-)
>
> That should work. I just tested. When an ssh connection is made, it executes
> passwd. As soon as the password is changed, the ssh connection was closed:
>
>    %ssh -l asdf 192.168.1.50
>    Password:
>    ...
>    Changing local password for asdf
>    Old Password:
>    New Password:
>    Retype New Password:
>    Connection to 192.168.1.50 closed.

Should make for some fascinating experiences with sftp.  :-)

-- 
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/