From owner-freebsd-security@FreeBSD.ORG  Mon Jun  7 20:42:00 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0498016A4CE; Mon,  7 Jun 2004 20:42:00 +0000 (GMT)
Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8234643D1D; Mon,  7 Jun 2004 20:41:59 +0000 (GMT)
	(envelope-from cristjc@comcast.net)
Received: from blossom.cjclark.org
	(c-24-6-187-112.client.comcast.net[24.6.187.112])
	by comcast.net (sccrmhc13) with ESMTP
	id <20040607204149016000guaue>; Mon, 7 Jun 2004 20:41:49 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.11/8.12.8) with ESMTP id i57KfoSD075998;
	Mon, 7 Jun 2004 13:41:50 -0700 (PDT)
	(envelope-from cristjc@comcast.net)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.11/8.12.11/Submit) id i57KfnDf075997;
	Mon, 7 Jun 2004 13:41:49 -0700 (PDT)
	(envelope-from cristjc@comcast.net)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to
	cristjc@comcast.net using -f
Date: Mon, 7 Jun 2004 13:41:49 -0700
From: "Crist J. Clark" <cristjc@comcast.net>
To: Doug Barton <DougB@FreeBSD.org>
Message-ID: <20040607204149.GC75747@blossom.cjclark.org>
References: <20040518160517.GA10067@therub.org>
	<OPEPILILPLAKPFCNKOKAGEGHCBAA.remko@elvandar.org>
	<20040520033024.GA26640@therub.org> <20040606233720.F1850@ync.qbhto.arg>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040606233720.F1850@ync.qbhto.arg>
User-Agent: Mutt/1.4.2.1i
X-URL: http://people.freebsd.org/~cjc/
cc: "freebsd-security@freebsd.org" <freebsd-security@FreeBSD.org>
cc: Remko Lodder <remko@elvandar.org>
cc: "David E. Meier" <dev@eth0.ch>
cc: Dan Rue <drue@therub.org>
Subject: Re: [Freebsd-security] Re: Multi-User Security
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Crist J. Clark" <cjc@FreeBSD.org>
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2004 20:42:00 -0000

On Sun, Jun 06, 2004 at 11:38:55PM -0700, Doug Barton wrote:
> On Wed, 19 May 2004, Dan Rue wrote:
> 
> >You obviously havn't tried to chroot scponly users.. _that's_ the tricky
> >part.  Especially if you want it to scale up beyond a handful of users.
> >If i'm wrong - fill me in i'd love to hear how to do it.
> 
> Have you considered using ~/.ssh/authorized_keys to restrict the account 
> from tty access? This would allow you to do commands (like scp) without 
> the risk of the user getting an actual shell.

  $ ssh host /bin/sh

You don't need a tty to get an interactive shell.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org