Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
January 25, 2006, 6:29 pm
rate this thread
shell access on a Solaris 10 system.
The old trick used for restricting traditional FTP access only was to
assign users the shell /bin/false. That won't work for ssh and sftp.
I've read a few posts about using "scponly" as a default user shell
which prohibits user shell access but allows sftp and ftp access. A
December 2005 security advisory mentioned that scponly had a security
problem passing shell arguments thereby allowing a root compromise. The
alert suggested upgrading to version 4.3 (?).
Does anyone have experience with scponly or have other recommendations
for restricting shell access on Solaris 10? We don'twant to create
individual RBAC user profiles but would consider assigning all these
users a common shell in /etc/passwd.
california state university
- Nico Kadel-Garcia
January 26, 2006, 12:33 am
Re: scponly, allowing sftp and denying ssh access
Don't bother. If you need secret upload as well as download, install an
Apache server with WebDAV enabled, and use the built-in user account
management features of Apache. That way, not only can you mount the WebDAV
filesystem on many OS's, but you can access it with just about every major
browser, and do uploads with the built-in tools of most OS's rather than
relying on your users to correctly manage an FTP/SFTP client.
See above. It's easy to manage.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum