Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Telnet to SSH migration



> I am deprecating the use of telnet for ssh.
>  However, I need to limit the capabilities provided by ssh down

If you set their "shell" in /etc/passwd, as with telnet, it should
work the same.

I'm told RSH and Chroot can make a very effective jail for restricted users.

> no scp, no sftp,

They don't have FTP today?  When stamping out insecure telnet, it's
time to stamp out insecure FTP with SCP too. (There is also  an
scp-only variant for FTP-replacement incoming-file accounts, to
prevent SCP users from doing SSH remote commands or SSH shell. But I
rather like SCP users to be able to do an "ssh ls")


If the default PATH doesn't have the scp/sftp binaries, I think those
are blocked too.

If the user can only run a few commands, I wonder what good
port-forwarding would do the users, or what harm it would do. They
can't run something that connects to the port they're back-forwarding.
If they can connect to port 22, they probably can connect to port 25
too, so forward forwarding buys them little.  -- unless the system is
in a fire-wall protected location, or there are some ports that react
differently to connects from localhost.

If you really want your users in a jail, why give them unix ids at
all? A web portal with their 5 commands on it keeps them in an even
simpler jail.


-- 
Bill
n1vux at arrl.net bill.n1vux at gmail.com

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org