restrict ssh access
Valeriu Mutu
unix at mutu.us
Fri Apr 25 21:57:14 UTC 2008
On Fri, Apr 25, 2008 at 07:50:47PM +0000, D Hill wrote:
> On Fri, 25 Apr 2008 at 14:30 -0500, pauls at utdallas.edu confabulated:
>
>> --On Friday, April 25, 2008 16:41:07 +0000 D Hill <d.hill at yournetplus.com>
>> wrote:
>>
>>> On Fri, 25 Apr 2008 at 09:30 -0700, cswiger at mac.com confabulated:
>>>
>>>> On Apr 25, 2008, at 6:46 AM, Geert Geurts wrote:
>>>>> I've got a server running a ssh server, I want to enable ssh for the use
>>>>> of sftp by a group of users, and limit their ssh access to just allow
>>>>> running passwd so they can change their default password. What whould be
>>>>> the best/easiest way to acomplish this, or something similiar?
>>>>
>>>> I wonder what would happen if you gave them a shell of
>>>> "/usr/bin/passwd"...?
>>>> :-)
>>>
>>> That should work. I just tested. When an ssh connection is made, it
>>> executes
>>> passwd. As soon as the password is changed, the ssh connection was closed:
>>>
>>> %ssh -l asdf 192.168.1.50
>>> Password:
>>> ...
>>> Changing local password for asdf
>>> Old Password:
>>> New Password:
>>> Retype New Password:
>>> Connection to 192.168.1.50 closed.
>>
>> Should make for some fascinating experiences with sftp. :-)
>
> I believe the connecton would just close. Somehow I missed that sftp part :-(
Indeed, the connection closes. It looks like the SSH server relies on a valid login shell program to run the SFTP server.
Anyway, may I suggest using ACL?
You'll have to add the 'acls' option in fstab and do a reboot.
After that, put those users in a group and deny that group all the permissions (r,w,x) on all executables on the system.
Set r-x permissions on their _login shell_ (i.e /bin/csh, /bin/sh etc.) and /usr/bin/passwd executable.
It worked for me.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
--
Valeriu Mutu
More information about the freebsd-questions
mailing list