Ed Wilts wrote:
Here's the problem, and I'll let you suggest some solutions that are actually secure.
Sounds fun. :-)
Allow hundreds of authenticated users scattered throughout theThis sounds like a call for modifying the source of sshd. After sshd authenicates a user, it should be able to look at the users home directory in /etc/passwd. If it contains the character pattern that indicates to ftpd that it should operate chroot'd (././dir IIRC), then disallow remote command execution, run a different command/function when the ssh stream contains file transfers that operates chroot'd, and disallow any attempt at port forwarding.
Internet to transfer files. Restrict uploads to pre-determined
directories and downloads to other pre-determined directories. Allow
automated processes to easily do this. Trivial to do with wu-ftpd and
the ftpaccess file, but I've never found a way to allow an scp to honor
any sort of directory restrictions. If any user has scp/sftp access, then they can simply use this or remote command execution to grab my
system password file,
It seems a relatively simple set of mods for sshd, and I am surprised that the OpenSSH people aren't interested. Perhaps there is something in the structure of the code that would make it unexpectedly difficult.
Alan
--
Alan Peery
[EMAIL PROTECTED]
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
