restricted shell
Markus Friedl
markus.friedl at informatik.uni-erlangen.de
Mon Apr 30 02:03:04 EST 2001
On Sat, Apr 28, 2001 at 12:44:32PM -0400, Gyepi SAM wrote:
> On Sat, Apr 28, 2001 at 06:24:48PM +0200, Markus Friedl wrote:
> > it's easier if the sftp-server does chroot.
>
> But then scp would also have to do the same thing if we are allowing both.
> It would seem easier to be to leave sftp-server and scp as they are and
> centralize the chroot and other related local security measures in the
> restricted shell, no?
no :)
if sshd chroots, you need to copy the (static?) sftp-server
to every home-dir. this is no fun on solaris, just
look at the mess ssh-chrootmgr(1) creates.
> > additionally you have to disallow writing of $HOME,
> > restrict sftp to subdirs only. otherwise the user
> > can modify .ssh or .forward...
>
> I would leave this as an administrator option since I can imagine scenarios
> where both of those actions might be desirable.
yes, but they are usually not aware of this.
-m
More information about the openssh-unix-dev
mailing list