SFTP Logging
Jason A . Dour
jason at dour.org
Sun Jun 17 01:29:48 EST 2001
On Sat, Jun 16, 2001 at 10:46:36AM +0200, Markus Friedl wrote:
> On Fri, Jun 15, 2001 at 10:37:49AM -0400, Jason A . Dour wrote:
> > I don't know if authent/auhtoriz separation has been discussed
> > before, but regardless of the authentication method I've allowed, I
> > need to restrict what a user can do. I havne't come up with a clear
> > solution yet, but I've a few ideas forming...
>
> is authorization openssh's job?
Not necessarily. But it presently is partly its job by the fact
that certain levels of authorization can take place when you use
key-based authentication.
Being able to limit what commands are allowed, intituting override
commands, and the like that are possible with key-based auth, I
would like to do with any authentication specified as valid.
> i'm not sure. you could move all the authorization logic
> into a different layer, e.g. a special login shell.
True. I had actually given this some thought, but I didn't want to
duplicate the work done with key-based authorization. So I was
wondering if it made more sense to include it into that code and
then make openssh's authorization work for all authentications.
I already have a basic SFTP only restricted shell, and it works
quite nicely. It would be nice to have it scan a config file for its
information for some finer-grained control, but before I started
down that path I wanted to evaluate putting such code into the
server proper.
Has any of this been discussed before? Am I covering old ground?
If so, I'd love to see the archives of the previous discussions
in case there are some pitfalls that have been discussed.
Cheers,
Jason
# "Jason A. Dour" <jason at dour.org> http://dour.org/
# Founder / Executive Producer - PJ Harvey Online - http://pjh.org/
More information about the openssh-unix-dev
mailing list