[PATCH] sftp-server Restricted Access
petesea at bigfoot.com
Wed Jun 28 10:50:27 EST 2006
On Sun, 25 Jun 2006, Damien Miller wrote:
> Julien Demoor wrote:
>> This patch makes it possible to restrict sftp sessions to a certain
>> subtree of the file system on a per-Unix account basis.
> There has been a similar patch in bugzilla for a while:
> I'm looking at adding the ability to specify commandline arguments to
> SubSystem declarations in sshd_config, but it is a little fiddly as any
> change has to gracefully cope with forced commands in authorized_keys
> files as well as the fairly common practice of making sftp-only accounts
> by making sftp-server the user's login shell.
> It will be easier when Darren's "Match" stuff is done, because we can
> reuse it to do forced-commands in sshd_config.
Can you expand on "forced-commands in sshd_config" a bit?
I'm curious, because I'm wondering if it might be able replace the custom
changes I've made....
I recently added support for authorized_keys via GSSAPI/Kerberos
authentication... mainly so I could use the "command=" option. Then, I
realized, for my purpose, it would be better to just have a global
"ForcedCommand" defined in sshd_config, so I added that as well.
My reason for doing this is because I'm running sshd on a non-standard
port for CVS/Subversion access. My ForcedCommand makes sure that only
CVS/Subversion related commands can be run.
A couple of problems I ran into with the global forced command...
1) I had to add an sshd_config option to ignore the user's login shell
when exec'ing the forced command. The problem here is that the user's
login shell could be something like "/bin/false". If this option is set,
then I simply exec the forced command directly, rather then via the login
2) I also had to add an sshd_config option to ignore the user's home
directory. In my case, these same user's with a login shell of /bin/false
(which is the majority of users) don't have a real home directory either.
More information about the openssh-unix-dev