delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2003/08/12/17:36:05

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs
Date: Tue, 12 Aug 2003 17:35:41 -0400 (EDT)
From: Igor Pechtchanski <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: jwaterbrook <jwaterbrook AT keyww DOT com>
cc: cygwin AT cygwin DOT com
Subject: Re: michael's openssh for windows
In-Reply-To: <3F394F47.1090209@keyww.com>
Message-ID: <Pine.GSO.4.44.0308121721560.3223-100000@slinky.cs.nyu.edu>
Importance: Normal
MIME-Version: 1.0

Johnny,

Ssh passes no parameters to the login shell by default (as your output
clearly shows).  You have to check for the parameters passed by other
programs, like sftp (make sure you don't print things to stdout, as
they'll be interpreted as program messages -- better redirect the output
to some log file).  FYI, I was able to restrict ssh access to sftp only by
using the following script as the login shell:

=================== CUT HERE ===================
#!/bin/sh
echo Parameters: "$@" >> /tmp/sshlogin.log
if [ "$*" != "-c /usr/sbin/sftp-server" ]; then
   echo "Sorry, sftp only!"
   exit 1
fi
exec /bin/bash "$@"
=================== CUT HERE ===================

Checking /tmp/sshlogin.log after trying to use other programs with ssh
(e.g., cvs) should give you an idea of what exact parameters they pass,
and accomodate them in your script if need be.

BTW, one important thing to know is that the above script *will not*
prevent anyone from accessing /cygdrive/c/WINNT/system32, for example.
If you want that kind of access restrictions, look at the "chroot" utility
("man chroot") or use DENY ACLs.
	Igor

On Tue, 12 Aug 2003, jwaterbrook wrote:

> I decided to give that a shot, however, as I expected, that gave no
> output either.
> ---OUTPUT---
> Last login: Tue Aug 12 10:50:24 2003 from xxxx.yyyy.com
> Parameters:
> $
> ---END OUTPUT---
>
> Somehow, nothing is getting passed.  Like I said before, it could be the
> distribution.  If anyone has any free time, download it and see what I'm
> talking about.
> It's such a wonderful quick solution, It would be nice to get this so it
> can act as a "substitute" for a normal ftp server (and even better for
> some cases only using a single port).
>
> Adieu,
> Johnny
>
> Igor Pechtchanski wrote:
>
> > You might try to change that script to
> >
> > #!/bin/sh
> > echo "Parameters: $@"
> > exec /bin/sh "$@"
> >
> > Hope this helps,
> >         Igor
> > On Tue, 12 Aug 2003, jwaterbrook wrote:
> >
> > >  A comment about the script method:
> > >
> > > for some reason, this didn't seem to return any result.
> > > I added /usr/bin/sftponly to the passwd file instead of /bin/sh or
> > > /bin/switch
> > > and created a /usr/bin/sftponly file with this inside:
> > > #!/bin/sh
> > >
> > > echo "$*"
> > >
> > > /bin/sh
> > >
> > > however, this did not create any output.  So I have a feeling, nothing
> > > is being passed in this build.
> > >
> > > I may be going at this the wrong way, so if anyone would like to correct
> > > me, please do so.
> > >
> > > Thanks,
> > > Johnny
> > >
> > >
> > > Igor Pechtchanski wrote:
> > >
> > > > The thread starting at
> > > > <http://cygwin.com/ml/cygwin/2003-07/msg01379.html>
> > > > might be of help.
> > > >         Igor
> > > >
> > > > On Mon, 11 Aug 2003, jwaterbrook wrote:
> > > >
> > > > > I haven't seemed to get very far with this,
> > > > > I was hoping someone might be able to point a blind man in the right
> > > > > direction
> > > > >
> > > > > Waterbrook, Johnny wrote:
> > > > >
> > > > > > I'd prefer not to start a new thread, but I've been searching for the
> > > > > > past few hours with no luck.
> > > > > >
> > > > > > I needed a fast way to set up sftp on a winXP box, so I did a little
> > > > > > google search and found lexa.mckenna.edu/sshwindows/ had a clean and
> > > > > > easy way of doing this.
> > > > > > I changed the regestry setting "/home" to a different drive, and the
> > > > > > passwd file's entry form :/home/USERNAME: to :/home: so when my "auts
> > > > > > ex-uncle" wants to login to my sftp server, they can't browse my windows
> > > > > > directory structure.
> > > > > >
> > > > > > However, when my "aunts ex-uncle" realizes he can also ssh into the box,
> > > > > > I don't want him running "windows" commands such as cmd, nbtstat, dir
> > > > > > etc.  I just want to "limit" him to what is available in /bin I guess.
> > > > > >
> > > > > > Am I going about this wrong?  Is there a cygwin/openssh implemenation
> > > > > > that "stands alone" from windows so I could set up a sftp server much
> > > > > > like a normal ftp server?
> > > > > >
> > > > > > Thanks in advance,
> > > > > > Johnny

-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019