Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.security.ssh > #158
| Newsgroups | comp.security.ssh |
|---|---|
| From | Kevin Denis <kevin@nowhere.invalid> |
| Subject | about ForceCommand, and the suppression of sftp server |
| Organization | Inefficace |
| Message-ID | <slrnj2giqr.48q.kevin@slackwall.local.tux> (permalink) |
| Date | 2011-07-21 15:41 +0000 |
Hello,
I want to lockdown only one user in my system. This user will use git
and rsync.
I will use a ForceCommand /usr/local/bin/restricted.sh
which is a shell script parsing SSH_ORIGINAL_COMMAND variable and only allow
some of those. I think this is OK.
Here are my questions:
1/ Is there a difference between using:
in sshd_config
Match User peer
X11Forwarding no
AllowTcpForwarding no
ForceCommand /usr/local/bin/restricted.sh
AuthorizedKeysFile /etc/ssh/user/authorized_keys
(chroot is not setup but it will be soon).
Or restrict the user in his .authorized_keys file and chmod it
in order he can't change it?
command="/usr/local/bin/restricted.sh",no-port-forwarding
ssh-rsa AAA(...)BBB comments
I'm using the sshd_config setup, but if the .authorized_keys is
better I would know how.
2/
When I use this setup, the user can't use scp and the script is called.
When I use sftp I have a strange error:
$ sftp user@192.168.19.2
Received message too long 1953833061
I don't want this user can use sftp. What's the good use in achieve
this without an error?
3/
Is there some security issue I should take care of?
Thanks
--
Kevin
Back to comp.security.ssh | Previous | Next | Find similar
about ForceCommand, and the suppression of sftp server Kevin Denis <kevin@nowhere.invalid> - 2011-07-21 15:41 +0000
csiph-web