From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 06:39:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E351316A4CE for ; Mon, 7 Jun 2004 06:39:11 +0000 (GMT) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id A236D43D58 for ; Mon, 7 Jun 2004 06:39:11 +0000 (GMT) (envelope-from DougB@freebsd.org) Received: from lap (c-24-130-110-32.we.client2.attbi.com[24.130.110.32]) by comcast.net (sccrmhc13) with SMTP id <20040607063854016000kpdae>; Mon, 7 Jun 2004 06:39:08 +0000 Date: Sun, 6 Jun 2004 23:38:55 -0700 (PDT) From: Doug Barton To: Dan Rue In-Reply-To: <20040520033024.GA26640@therub.org> Message-ID: <20040606233720.F1850@ync.qbhto.arg> References: <20040518160517.GA10067@therub.org> <20040520033024.GA26640@therub.org> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: "freebsd-security@freebsd.org" cc: Remko Lodder cc: "David E. Meier" Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 06:39:12 -0000 On Wed, 19 May 2004, Dan Rue wrote: > You obviously havn't tried to chroot scponly users.. _that's_ the tricky > part. Especially if you want it to scale up beyond a handful of users. > If i'm wrong - fill me in i'd love to hear how to do it. Have you considered using ~/.ssh/authorized_keys to restrict the account from tty access? This would allow you to do commands (like scp) without the risk of the user getting an actual shell. Doug -- This .signature sanitized for your protection