SFTP Logging
Markus Friedl
markus.friedl at informatik.uni-erlangen.de
Sat Jun 16 18:46:36 EST 2001
On Fri, Jun 15, 2001 at 10:37:49AM -0400, Jason A . Dour wrote:
> On Fri, Jun 15, 2001 at 10:27:54AM +1000, Andrew Bartlett wrote:
> > Remember that it will amout to moot unless you use a restricted
> > shell, like the one I have posted to this list earlier, as
> > otherwise users can just use their own SFTP server - without your
> > logging capabilities.
>
> True. But I'm also coding such a shell to meet my needs for
> SFTP/SCP restricted users only. And I'm also spelunking the OpenSSH
> codebase to see about separating authentication and authorization.
>
> I don't know if authent/auhtoriz separation has been discussed
> before, but regardless of the authentication method I've allowed, I
> need to restrict what a user can do. I havne't come up with a clear
> solution yet, but I've a few ideas forming...
is authorization openssh's job?
i'm not sure. you could move all the authorization logic
into a different layer, e.g. a special login shell.
More information about the openssh-unix-dev
mailing list