From owner-freebsd-security@FreeBSD.ORG  Wed Jun  9 12:03:27 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 97A1116A4CE; Wed,  9 Jun 2004 12:03:27 +0000 (GMT)
Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8812D43D41; Wed,  9 Jun 2004 12:03:27 +0000 (GMT)
	(envelope-from DougB@freebsd.org)
Received: from lap (c-24-130-110-32.we.client2.attbi.com[24.130.110.32])
          by comcast.net (rwcrmhc12) with SMTP
          id <2004060912030101400buj8be>; Wed, 9 Jun 2004 12:03:11 +0000
Date: Wed, 9 Jun 2004 05:03:02 -0700 (PDT)
From: Doug Barton <DougB@FreeBSD.org>
To: "Crist J. Clark" <cjc@FreeBSD.org>
In-Reply-To: <20040607204149.GC75747@blossom.cjclark.org>
Message-ID: <20040609050217.Q5839@ync.qbhto.arg>
References: <20040518160517.GA10067@therub.org>
	<OPEPILILPLAKPFCNKOKAGEGHCBAA.remko@elvandar.org>
	<20040606233720.F1850@ync.qbhto.arg>
	<20040607204149.GC75747@blossom.cjclark.org>
Organization: http://www.FreeBSD.org/
X-message-flag: Outlook -- Not just for spreading viruses anymore!
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
cc: "freebsd-security@freebsd.org" <freebsd-security@FreeBSD.org>
cc: Remko Lodder <remko@elvandar.org>
cc: "David E. Meier" <dev@eth0.ch>
cc: Dan Rue <drue@therub.org>
Subject: Re: [Freebsd-security] Re: Multi-User Security
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2004 12:03:27 -0000

On Mon, 7 Jun 2004, Crist J. Clark wrote:

> On Sun, Jun 06, 2004 at 11:38:55PM -0700, Doug Barton wrote:
>> On Wed, 19 May 2004, Dan Rue wrote:
>>
>>> You obviously havn't tried to chroot scponly users.. _that's_ the tricky
>>> part.  Especially if you want it to scale up beyond a handful of users.
>>> If i'm wrong - fill me in i'd love to hear how to do it.
>>
>> Have you considered using ~/.ssh/authorized_keys to restrict the account
>> from tty access? This would allow you to do commands (like scp) without
>> the risk of the user getting an actual shell.
>
>  $ ssh host /bin/sh
>
> You don't need a tty to get an interactive shell.

You can also enforce what commands the user can run to prevent this. 
Read sshd(8) for more information.

Doug

-- 

     This .signature sanitized for your protection