From owner-freebsd-questions@FreeBSD.ORG Fri Mar 25 15:15:18 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BF9416A4CE for ; Fri, 25 Mar 2005 15:15:18 +0000 (GMT) Received: from lorna.circlesquared.com (host217-45-219-85.in-addr.btopenworld.com [217.45.219.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F9F943D39 for ; Fri, 25 Mar 2005 15:15:17 +0000 (GMT) (envelope-from peter@circlesquared.com) Received: from localhost.circlesquared.com (localhost.circlesquared.com [127.0.0.1])j2PFF5ct011230; Fri, 25 Mar 2005 15:15:05 GMT (envelope-from peter@circlesquared.com) From: Peter Risdon To: Grant Peel In-Reply-To: <002c01c53145$b9c64390$6401a8c0@GRANT> References: <002c01c53145$b9c64390$6401a8c0@GRANT> Content-Type: text/plain Date: Fri, 25 Mar 2005 15:15:04 +0000 Message-Id: <1111763704.756.338.camel@lorna.circlesquared.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit cc: "freebsd-questions@freebsd.org" Subject: Re: sFTP nologin X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2005 15:15:18 -0000 On Fri, 2005-03-25 at 09:19 -0500, Grant Peel wrote: > Hi all, > > Going blind again. > > Is there a quick - secure way to allow the sshd sFTP subsystem to allows > sftp connections without allowing shell accounts? I can't answer this directly - I did look for the same thing but couldn't see how to do it (so I'd be really interested if you finda way). I got the feeling that it needs a shell by definition. But when I was looking, I noticed that security/openssh-portable has the make option: WITH_OPENSSH_CHROOT which doesn't seem to exist for security/openssh and maybe tightens things up a bit. Closer to what you want might be would be rssh, but I've never tried using it so can't comment further: #less /usr/ports/shells/rssh/pkg-descr rssh is a Restricted Secure SHell that allow only the use of sftp or scp. It could be use when you need an account (and a valid shell) in order to execute sftp or scp but when you don't want to give the possibility to log in to this user. WWW: http://www.pizzashack.org/rssh/index.shtml - enigmatyc HTH Peter.