SFTP Logging

[Markus Friedl]

On Fri, Jun 15, 2001 at 10:37:49AM -0400, Jason A . Dour wrote:
> On Fri, Jun 15, 2001 at 10:27:54AM +1000, Andrew Bartlett wrote:
> > Remember that it will amout to moot unless you use a restricted
> > shell, like the one I have posted to this list earlier, as
> > otherwise users can just use their own SFTP server - without your
> > logging capabilities.
> 
> True.  But I'm also coding such a shell to meet my needs for
> SFTP/SCP restricted users only.  And I'm also spelunking the OpenSSH
> codebase to see about separating authentication and authorization.
> 
> I don't know if authent/auhtoriz separation has been discussed
> before, but regardless of the authentication method I've allowed, I
> need to restrict what a user can do.  I havne't come up with a clear
> solution yet, but I've a few ideas forming...

is authorization openssh's job?

i'm not sure. you could move all the authorization logic
into a different layer, e.g. a special login shell.