From owner-freebsd-questions@FreeBSD.ORG Fri Apr 25 21:53:51 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34B941065673 for ; Fri, 25 Apr 2008 21:53:51 +0000 (UTC) (envelope-from unix@devil.mutu.us) Received: from devil.mutu.us (devil.mutu.us [206.229.45.53]) by mx1.freebsd.org (Postfix) with ESMTP id E1E468FC0C for ; Fri, 25 Apr 2008 21:53:50 +0000 (UTC) (envelope-from unix@devil.mutu.us) Received: from devil.mutu.us (localhost [127.0.0.1]) by devil.mutu.us (8.13.8/8.13.8) with ESMTP id m3PLrofR088199 for ; Fri, 25 Apr 2008 16:53:50 -0500 (CDT) (envelope-from unix@devil.mutu.us) Received: (from unix@localhost) by devil.mutu.us (8.13.8/8.13.8/Submit) id m3PLrjS5088198 for freebsd-questions@freebsd.org; Fri, 25 Apr 2008 16:53:45 -0500 (CDT) (envelope-from unix) Date: Fri, 25 Apr 2008 16:53:45 -0500 From: Valeriu Mutu To: freebsd-questions@freebsd.org Message-ID: <20080425215345.GB88106@devil.mutu.us> Mail-Followup-To: freebsd-questions@freebsd.org References: <1209131161.14700.4.camel@puk> <472410BF12BC19695178209A@utd65257.utdallas.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: Mutu User-Agent: Mutt/1.5.17 (2007-11-01) Subject: Re: restrict ssh access X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2008 21:53:51 -0000 On Fri, Apr 25, 2008 at 07:50:47PM +0000, D Hill wrote: > On Fri, 25 Apr 2008 at 14:30 -0500, pauls@utdallas.edu confabulated: > >> --On Friday, April 25, 2008 16:41:07 +0000 D Hill >> wrote: >> >>> On Fri, 25 Apr 2008 at 09:30 -0700, cswiger@mac.com confabulated: >>> >>>> On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote: >>>>> I've got a server running a ssh server, I want to enable ssh for the use >>>>> of sftp by a group of users, and limit their ssh access to just allow >>>>> running passwd so they can change their default password. What whould be >>>>> the best/easiest way to acomplish this, or something similiar? >>>> >>>> I wonder what would happen if you gave them a shell of >>>> "/usr/bin/passwd"...? >>>> :-) >>> >>> That should work. I just tested. When an ssh connection is made, it >>> executes >>> passwd. As soon as the password is changed, the ssh connection was closed: >>> >>> %ssh -l asdf 192.168.1.50 >>> Password: >>> ... >>> Changing local password for asdf >>> Old Password: >>> New Password: >>> Retype New Password: >>> Connection to 192.168.1.50 closed. >> >> Should make for some fascinating experiences with sftp. :-) > > I believe the connecton would just close. Somehow I missed that sftp part :-( One more thing: you'll have to set r-x permissions for /usr/libexec/sftp-server as well. To summarize, you'll have to set r-x permissions for the user's shell, passwd utility and sftp-server. All other executables can be denied access... > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Valeriu Mutu