[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] sftp with no ssh login

> -----Original Message-----
> From: Sven 'Darkman' Michels [mailto:sven@xxxxxxxxxx]
> Sent: Wednesday, January 28, 2004 8:39 AM
> To: suse-security@xxxxxxxx
> Subject: Re: [suse-security] sftp with no ssh login
> Ben Yau wrote:
> >
> > Another thing to try is put "logout" at the beginning of ~/.bash_login.
> > Upon ssh login it will run the .bash_login and log them out.
> On sftp, it
> > won't run ~/.bash_login so they can still sftp
> ssh user@xxxxxxxxxxxxxxxxxx rm .bash_login
> ;)

Ruin my day .. go ahead :)

I started thinking of another solution (along the lines of alias
rm='logout') when I realized that a smart user could just sftp and put in a
new ~/.bash_profile.

Provided they were clever enough to figure out how you auto logged them out.

What you could do is in /etc/profile have it read a list of valid users/uid
from a root writable/world-readable file.  THen in /etc/profile throw in
some logic that if userid does not match the one reading the file then log
them out.  Then put users who you want to be able to ssh into the root owned

Another idea to test out and more secure.

GOod thinking Sven :)

Off the subject here, but this reminds me of a time when this "big shot"
consultant guy came in to consult with our team at my first job (I was a
greenie sysadmin) and was showing me how to use sudo and made a list of
denied commands.  And i told him "isn't that a security hole?" and he said
"how?".   He had put all the shells in the denied comman so I copied
/bin/bash to ~/mybash and then ran it under sudo.

His jaw dropping was one of the funniest things I'd ever seen.  (Don't want
to be too hard on him though, he actually was a really GREAT guy and very
fun to work with).   So that's why you got to be really careful with your
sudo configs :D  and in this case the way you attempt to deny ssh and still
allow sftp.

Ben Yau

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here