[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fw: [suse-security] sftp with no ssh login



Hi to all again, thanks for all the ideas!

What I did at the end is a mix of some things you guys said:

1.- created a .bashrc fila with a logout on the first line for all users
(Just one)
2.- Change shell to bash for all this users.
3.- chown root .bashrc
4.- chmod 555 .bashrc

And there you go!

Do you find a hole on that?

Regards.

> Ben Yau wrote:
>
> >>-----Original Message-----
> >>From: Sven 'Darkman' Michels [mailto:sven@xxxxxxxxxx]
> >>
> >>Ben Yau wrote:
> >>
> >>
> >>>Another thing to try is put "logout" at the beginning of ~/.bash_login.
> >>>Upon ssh login it will run the .bash_login and log them out.
> >>>
> >>>
> >>On sftp, it
> >>
> >>
> >>>won't run ~/.bash_login so they can still sftp
> >>>
> >>>
> >>ssh user@xxxxxxxxxxxxxxxxxx rm .bash_login
> >>
> >>;)
> >>
> >>
> >
> >Ruin my day .. go ahead :)
> >
> >I started thinking of another solution (along the lines of alias
> >rm='logout') when I realized that a smart user could just sftp and put in
a
> >new ~/.bash_profile.
> >
> >Provided they were clever enough to figure out how you auto logged them
out.
> >...
> >
> >
>
> Depends on what's acceptable at your place.  You could give the person
> (people) a home dir that is owned by root, and all files in the home dir
> owned by root, with perms of 555 (basically a shell home, just enough to
> make whatever you need work); then you could set things up that way.  It
> seems to me there should be a more elegant way, but my point is you
> should be able to make the above work.  That is assuming you're allowed
> to lock it down that tight (by management).
>
> HTH,
> Kevin
>
>
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here