IBM

Securing client access via SSH

porter avatar
porter
Old Salt
Who joined Nov. 1, 2006, 11:37 p.m.
and authored 2619 notes
Wrote the following at June 9, 2010, 11:40 a.m...
Hi,

I have a server ( happens to be AIX but I don't consider that too important to the topic ) that clients have access to by:

(a) sftp
(b) an custom server setup using .ssh/authorized_keys

I want to deny those clients general shell access but still permit sftp access and any custom server defined in authorized_keys?

Thoughts? If I set the client's shell to "nologin" or "false" will that prevent all access?

And I still want to run as that user ( mainly to configure and test ) using some form of "su".
foetz avatar
foetz
Old Salt
Who joined April 14, 2003, 4:34 a.m.
and authored 4411 notes
Wrote the following at June 16, 2010, 6:31 a.m...
maybe this helps :D
http://www.howtoforge.com/chrooted-ssh- ... bian-lenny

_________________
r-a-c.de
andyjpb
Member
Who joined May 8, 2008, 8:43 a.m.
and authored 55 notes
Wrote the following at June 21, 2010, 7:07 a.m...
Hi,

porter wrote:
I want to deny those clients general shell access but still permit sftp access and any custom server defined in authorized_keys?

Thoughts? If I set the client's shell to "nologin" or "false" will that prevent all access?


How about something like scponly?
http://sublimation.org/scponly/wiki/index.php/Main_Page

You replace the users shell with the scponly binary.
It seems to support sftp as well as scp and a whole host of configurable features and restrictions
http://sublimation.org/scponly/wiki/index.php/Features


Regards,
@ndy
porter avatar
porter
Old Salt
Who joined Nov. 1, 2006, 11:37 p.m.
and authored 2619 notes
Wrote the following at June 21, 2010, 10:06 a.m...
Cool, I will give that one a go....