keypair auth and limiting access to sftp
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Mon Sep 17 12:37:55 EST 2001
Peter, you may want to check the current snapshot. On 9/14 I included
a patch from the OpenBSD tree on subsystem and key pairs.
[..]
- markus at cvs.openbsd.org 2001/09/14
[session.c]
command=xxx overwrites subsystems, too
[..]
Hope this helps what you are doing.
On Sun, 16 Sep 2001, Peter W wrote:
> On Sun, Sep 16, 2001 at 09:38:30PM -0400, James Ralston wrote:
>
> > Even worse, I can't disable sftp access for chroot()'ed accounts
> > without disabling it for everyone. (Using the "command" option in the
> > authorized_keys2 file will break scp, but sftp will still work.)
>
> I was about to post on that topic. I would like to see OpenSSH changed
> so you can have the sftp subsystem installed/available, but *disable*
> access to the sftp susbsytem on a keypair-by-keypair basis in the
> authorized_keys2 file, much as one restricts commands with command=
>
> As it stands,[0] it is unsafe to depend on authorized_keys2 to restrict
> a client keypair authentication to some well-defined task.
>
> -Peter
>
> [0] based on my observations of 2.5.2p2, reading of 2.9x documentation,
> and a response on usenet
>
More information about the openssh-unix-dev
mailing list