[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] sftp with no ssh login

Ben Yau wrote:

-----Original Message-----
From: Sven 'Darkman' Michels [mailto:sven@xxxxxxxxxx]

Ben Yau wrote:
Another thing to try is put "logout" at the beginning of ~/.bash_login.
Upon ssh login it will run the .bash_login and log them out.
On sftp, it
won't run ~/.bash_login so they can still sftp
ssh user@xxxxxxxxxxxxxxxxxx rm .bash_login


Ruin my day .. go ahead :)

I started thinking of another solution (along the lines of alias
rm='logout') when I realized that a smart user could just sftp and put in a
new ~/.bash_profile.

Provided they were clever enough to figure out how you auto logged them out.

Depends on what's acceptable at your place. You could give the person (people) a home dir that is owned by root, and all files in the home dir owned by root, with perms of 555 (basically a shell home, just enough to make whatever you need work); then you could set things up that way. It seems to me there should be a more elegant way, but my point is you should be able to make the above work. That is assuming you're allowed to lock it down that tight (by management).


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here