Suggestion for openssh
Ben Lindstrom
mouring at offwriting.org
Wed Feb 8 07:43:46 EST 2012
On Feb 7, 2012, at 6:04 AM, Paulo wrote:
> Hi!
>
> I do not know if it's the ideal place, but I'm sending some suggestion.
> Always use openssh and its enormous features.
>
> - I needed to create an environment with only sftp access and thus used:
>
> - Match User suporte
> ForceCommand / usr / lib / openssh / sftp-server
>
> OK! It worked perfectly! But only sftp.
>
> - Create an environment with only blocking the ssh, but scp and sftp
> access, I used:
> - Rssh;
> - Mysecureshell;
> - Scponly.
> Work, but change my SHELL, and also created another
> environment for authentication and this is not good.
>
>
> So I suggest to you developers the following idea:
> - Create the following options to sshd_config:
> - DenyCmdssh
> - DenyCmdscp
This is kinda bogus.. "scp" is just a normal program. All the scp command
does is the moral equiv of:
tar -cvf .. | ssh .. tar -xvf
So that deny command isn't possible unless you are looking to block the whole
ability to run remote commands. Which has been discussed and the decision
was long ago to let it be a shell level issue. As there is no really good way of
handling this. Even if the user has a normal shell they can still bluff this behavior
via expect scripts.
> - DenyCmdsftp
This is also bogus because if you deny "sftp" but allow "scp" one can still
do: sftp -1 ... which will act like how scp works by ignoring the subsystem
definitions.
It would be more useful to allow "Subsystem" be allowed in a 'Match' section and
ensure 'Subsystem sftp none' or such to remove it from the user's valid subsystem
support.
Still, not useful to deny subsystems if you still give them access to run remote commands.
> All three options above with default value "no".
> If I want to scp access only could perform the following configuration.
>
> - Match User suporte
> DenyCmdssh yes
> DenyCmdsftp yes
> DenyCmdscp no
I see above as why this wouldn't block "scp" and why you really need to do it via the
shell level.
You can look through the history of this mailinglist. This isn't the first time this has come up,
and I doubt it will be the last, but in truth this isn't a problem that can be neatly solved in
sshd and there are times it is just better to manage it via 3rd party tools.
- Ben
More information about the openssh-unix-dev
mailing list