about ForceCommand, and the suppression of sftp server

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


I want to lockdown only one user in my system. This user will use git
and rsync.
I will use a ForceCommand /usr/local/bin/restricted.sh
which is a shell script parsing SSH_ORIGINAL_COMMAND variable and only allow
some of those. I think this is OK.

Here are my questions:

1/ Is there a difference between using:
in sshd_config
Match User peer
       X11Forwarding no
       AllowTcpForwarding no
       ForceCommand /usr/local/bin/restricted.sh
       AuthorizedKeysFile     /etc/ssh/user/authorized_keys
(chroot is not setup but it will be soon).

Or restrict the user in his .authorized_keys file and chmod it
in order he can't change it?
ssh-rsa AAA(...)BBB comments

I'm using the sshd_config setup, but if the .authorized_keys is
better I would know how.

When I use this setup, the user can't use scp and the script is called.
When I use sftp I have a strange error:
$ sftp user@
Received message too long 1953833061

I don't want this user can use sftp. What's the good use in achieve
this without an error?

Is there some security issue I should take care of?


Site Timeline