[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Restrict usage of ssh-keypair

To: suse-security@xxxxxxxx
Subject: Re: [suse-security] Restrict usage of ssh-keypair
From: Lars Ellenberg <l.g.e@xxxxxx>
Date: Tue, 1 Jul 2003 01:08:42 +0200
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Tue, 01 Jul 2003 01:36:22 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.53.0306301523150.23742@xxxxxxxxxxxxx>
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mail-followup-to: suse-security@xxxxxxxx
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <Pine.LNX.4.53.0306301439080.23742@xxxxxxxxxxxxx> <3F00356C.6030805@xxxxxxx> <Pine.LNX.4.53.0306301523150.23742@xxxxxxxxxxxxx>
Sender: l.g.e@xxxxxx
User-agent: Mutt/1.4i

On Mon, Jun 30, 2003 at 03:23:54PM +0200, Michael 'bukhem' Scherer wrote:
> On Mon, 30 Jun 2003, Vladimir Dvorak wrote:
> >See man 8 sshd. I thing that the best choice would be the parameter
> >no-pty in authorized_keys file. It will disallow to set up the terminal
> >session.
> 
> Too easy but that did the job.
> 

I think it really is _too_ easy.
if you don't have a tty, you won't get the bash prompt.
but that is about all there is to it.

you still can do what ever bash can do.  sorry.

you have to be much more restrictive in the authorized_keys file,
possibly forcing certain commands.
which could parse $SSH_ORIGINAL_COMMAND for additional info ...

	Lars Ellenberg

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Next by Date: Re: [suse-security] NIS - problems with passwd
Next by thread: Re: [suse-security] NIS - problems with passwd
Index(es):
- Date
- Thread