keypair auth and limiting access to sftp

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Mon Sep 17 12:37:55 EST 2001


Peter, you may want to check the current snapshot.  On 9/14 I included
a patch from the OpenBSD tree on subsystem and key pairs.

[..]
   - markus at cvs.openbsd.org 2001/09/14
     [session.c]
     command=xxx overwrites subsystems, too
[..]

Hope this helps what you are doing.

On Sun, 16 Sep 2001, Peter W wrote:

> On Sun, Sep 16, 2001 at 09:38:30PM -0400, James Ralston wrote:
>
> > Even worse, I can't disable sftp access for chroot()'ed accounts
> > without disabling it for everyone.  (Using the "command" option in the
> > authorized_keys2 file will break scp, but sftp will still work.)
>
> I was about to post on that topic. I would like to see OpenSSH changed
> so you can have the sftp subsystem installed/available, but *disable*
> access to the sftp susbsytem on a keypair-by-keypair basis in the
> authorized_keys2 file, much as one restricts commands with command=
>
> As it stands,[0] it is unsafe to depend on authorized_keys2 to restrict
> a client keypair authentication to some well-defined task.
>
> -Peter
>
> [0] based on my observations of 2.5.2p2, reading of 2.9x documentation,
>     and a response on usenet
>




More information about the openssh-unix-dev mailing list