keypair auth and limiting access to sftp

Peter W peterw at usa.net
Wed Sep 19 20:55:25 EST 2001


On Wed, Sep 19, 2001 at 09:41:57AM +0200, Markus Friedl wrote:
> On Wed, Sep 19, 2001 at 02:17:31AM -0400, James Ralston wrote:
> > On Tue, 18 Sep 2001, Markus Friedl wrote:

> > > how is this related to command="xxx" ?
> > 
> > It isn't, really; Peter was addressing a different issue (that sftp
> > bypassed command="xxx" restrictions)...
> 
> well, openssh never claimed that command="xx" applies to subsystems.

Perhaps not, but to the extent that command="xx" is supposed to limit
what they keypair can do, the fact that it does not stop sftp, and that 
there is no way to explicitly disable subsystems like sftp for each key, 
means that command="xx" is fundamentally unsafe in most systems. :-(

There is a general consensus that the next release will be modified so 
that it is possible to override/disable subsystems per key, right?

Thanks,

-Peter



More information about the openssh-unix-dev mailing list