From owner-freebsd-security@FreeBSD.ORG Wed Jun 9 12:03:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97A1116A4CE; Wed, 9 Jun 2004 12:03:27 +0000 (GMT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8812D43D41; Wed, 9 Jun 2004 12:03:27 +0000 (GMT) (envelope-from DougB@freebsd.org) Received: from lap (c-24-130-110-32.we.client2.attbi.com[24.130.110.32]) by comcast.net (rwcrmhc12) with SMTP id <2004060912030101400buj8be>; Wed, 9 Jun 2004 12:03:11 +0000 Date: Wed, 9 Jun 2004 05:03:02 -0700 (PDT) From: Doug Barton To: "Crist J. Clark" In-Reply-To: <20040607204149.GC75747@blossom.cjclark.org> Message-ID: <20040609050217.Q5839@ync.qbhto.arg> References: <20040518160517.GA10067@therub.org> <20040606233720.F1850@ync.qbhto.arg> <20040607204149.GC75747@blossom.cjclark.org> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: "freebsd-security@freebsd.org" cc: Remko Lodder cc: "David E. Meier" cc: Dan Rue Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2004 12:03:27 -0000 On Mon, 7 Jun 2004, Crist J. Clark wrote: > On Sun, Jun 06, 2004 at 11:38:55PM -0700, Doug Barton wrote: >> On Wed, 19 May 2004, Dan Rue wrote: >> >>> You obviously havn't tried to chroot scponly users.. _that's_ the tricky >>> part. Especially if you want it to scale up beyond a handful of users. >>> If i'm wrong - fill me in i'd love to hear how to do it. >> >> Have you considered using ~/.ssh/authorized_keys to restrict the account >> from tty access? This would allow you to do commands (like scp) without >> the risk of the user getting an actual shell. > > $ ssh host /bin/sh > > You don't need a tty to get an interactive shell. You can also enforce what commands the user can run to prevent this. Read sshd(8) for more information. Doug -- This .signature sanitized for your protection