[prev in list] [next in list] [prev in thread] [next in thread]
List: hpux-admin
Subject: [HPADM] Restricted SFTP without user being able to SSH into server.
From: "James J. Perry" <jjperry () water ! com>
Date: 2005-03-25 19:33:56
Message-ID: 35C9A2CFC27ACC439F4F97B1915D3FA223200D () EXVS01 ! dsw ! net
[Download RAW message or body]
We are migrating to servers where security policy dictates secure ftp
sessions only. In the past we just used restricted FTP with the user's
shell prompt set to /bin/false or /etc/ftponly.
When I do an sftp to that server, I get a message "illegal user XYZ from
ip ..." and the access is denied. When I set the shell to /bin/sh, I
can sftp into the server, but it is not directory restricted to their
home directory. Also, the user can use SSH to login to the server,
which is most undesirable.
I have dug around on man pages, Googled, and looked at OpenSSH.org, but
cannot find out a way to configure the sshd or sftp to make sftp work
like restricted FTP.
Thanks
-Jim
[Attachment #3 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:PMingLiU;
panose-1:2 2 3 0 0 0 0 0 0 0;}
@font-face
{font-family:"\@PMingLiU";
panose-1:2 2 3 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>We are migrating to servers where security policy dictates secure
ftp sessions only. In the past we just used restricted FTP with the \
user’s shell prompt set to /bin/false or /etc/ftponly. \
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>When I do an sftp to that server, I get a message “illegal
user XYZ from ip …” and the access is denied. When I set the shell
to /bin/sh, I can sftp into the server, but it is not directory restricted to their
home directory. Also, the user can use SSH to login to the server, which is
most undesirable.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I have dug around on man pages, Googled, and looked at \
OpenSSH.org, but cannot find out a way to configure the sshd or sftp to make sftp \
work like restricted FTP. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> Thanks<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> -Jim<o:p></o:p></span></font></p>
</div>
</body>
</html>
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic