ssh - NO SALE or NO GIVE ?
Markus Friedl
markus.friedl at informatik.uni-erlangen.de
Mon May 21 02:45:38 EST 2001
On Sun, May 20, 2001 at 10:48:20AM +0200, mark.pitt at ch.ibm.com wrote:
> rlogin=false is used by AIX systems to block only interactive sessions, ie
> rlogin and telnetd, but allows rsh and rcp as they are not interactive.
> Obvisously this makes NO sense at all, and anyway you can always use X or
> such to generate an interactive session, but that is the way AIX works,
> rightly or wrongly.
>
> Is there ANY way AROUND this ?
for ssh there is no difference between rlogin and rsh.
the only thing you could do is disallow allocation of pty's
this is only possible with pubkey auth + options in .ssh/authorized_keys*
> SFTP
>
> Really needs to have a /etc/ftpusers file to provide a simple blocking
> mechnism for ftp.
make people think sftp is something like ftp, but it is not.
it's just some application running over ssh.
ssh host /bin/date
does not check /etc/ftpusers, too.
sftp could me changed to behave like ftp, but currenlty it's
no different from
ssh host /bin/date
> BUGS
>
> If rlogin=false then ssh still prompts for password, although it already
> knows access will be denied.
this is not a bug.
More information about the openssh-unix-dev
mailing list