Mail Archives: cygwin/2003/08/12/19:36:47
"Ssh passes no parameters to the login shell by default"
This is exactly what was confusing me. Thank you for clarifying.
I redirected $* to a file and logged in different ways, sftp gave me
output as you said, so this part of it works now.
I looked at chroot, but I can't seem to get it to take.
Where/how can I include this in my sftponly script?
I don't think DENY ACL's is an option in this distribuition. Any info
on it would also be helpful
Thanks,
Johnny
Igor Pechtchanski wrote:
> Johnny,
>
> Ssh passes no parameters to the login shell by default (as your output
> clearly shows). You have to check for the parameters passed by other
> programs, like sftp (make sure you don't print things to stdout, as
> they'll be interpreted as program messages -- better redirect the output
> to some log file). FYI, I was able to restrict ssh access to sftp
> only by
> using the following script as the login shell:
>
> =================== CUT HERE ===================
> #!/bin/sh
> echo Parameters: "$@" >> /tmp/sshlogin.log
> if [ "$*" != "-c /usr/sbin/sftp-server" ]; then
> echo "Sorry, sftp only!"
> exit 1
> fi
> exec /bin/bash "$@"
> =================== CUT HERE ===================
>
> Checking /tmp/sshlogin.log after trying to use other programs with ssh
> (e.g., cvs) should give you an idea of what exact parameters they pass,
> and accomodate them in your script if need be.
>
> BTW, one important thing to know is that the above script *will not*
> prevent anyone from accessing /cygdrive/c/WINNT/system32, for example.
> If you want that kind of access restrictions, look at the "chroot"
> utility
> ("man chroot") or use DENY ACLs.
> Igor
>
> On Tue, 12 Aug 2003, jwaterbrook wrote:
>
> > I decided to give that a shot, however, as I expected, that gave no
> > output either.
> > ---OUTPUT---
> > Last login: Tue Aug 12 10:50:24 2003 from xxxx.yyyy.com
> > Parameters:
> > $
> > ---END OUTPUT---
> >
> > Somehow, nothing is getting passed. Like I said before, it could be
> the
> > distribution. If anyone has any free time, download it and see what
> I'm
> > talking about.
> > It's such a wonderful quick solution, It would be nice to get this
> so it
> > can act as a "substitute" for a normal ftp server (and even better for
> > some cases only using a single port).
> >
> > Adieu,
> > Johnny
> >
> > Igor Pechtchanski wrote:
> >
> > > You might try to change that script to
> > >
> > > #!/bin/sh
> > > echo "Parameters: $@"
> > > exec /bin/sh "$@"
> > >
> > > Hope this helps,
> > > Igor
> > > On Tue, 12 Aug 2003, jwaterbrook wrote:
> > >
> > > > A comment about the script method:
> > > >
> > > > for some reason, this didn't seem to return any result.
> > > > I added /usr/bin/sftponly to the passwd file instead of /bin/sh or
> > > > /bin/switch
> > > > and created a /usr/bin/sftponly file with this inside:
> > > > #!/bin/sh
> > > >
> > > > echo "$*"
> > > >
> > > > /bin/sh
> > > >
> > > > however, this did not create any output. So I have a feeling,
> nothing
> > > > is being passed in this build.
> > > >
> > > > I may be going at this the wrong way, so if anyone would like to
> correct
> > > > me, please do so.
> > > >
> > > > Thanks,
> > > > Johnny
> > > >
> > > >
> > > > Igor Pechtchanski wrote:
> > > >
> > > > > The thread starting at
> > > > > <http://cygwin.com/ml/cygwin/2003-07/msg01379.html>
> > > > > might be of help.
> > > > > Igor
> > > > >
> > > > > On Mon, 11 Aug 2003, jwaterbrook wrote:
> > > > >
> > > > > > I haven't seemed to get very far with this,
> > > > > > I was hoping someone might be able to point a blind man in
> the right
> > > > > > direction
> > > > > >
> > > > > > Waterbrook, Johnny wrote:
> > > > > >
> > > > > > > I'd prefer not to start a new thread, but I've been
> searching for the
> > > > > > > past few hours with no luck.
> > > > > > >
> > > > > > > I needed a fast way to set up sftp on a winXP box, so I
> did a little
> > > > > > > google search and found lexa.mckenna.edu/sshwindows/ had a
> clean and
> > > > > > > easy way of doing this.
> > > > > > > I changed the regestry setting "/home" to a different
> drive, and the
> > > > > > > passwd file's entry form :/home/USERNAME: to :/home: so
> when my "auts
> > > > > > > ex-uncle" wants to login to my sftp server, they can't
> browse my windows
> > > > > > > directory structure.
> > > > > > >
> > > > > > > However, when my "aunts ex-uncle" realizes he can also ssh
> into the box,
> > > > > > > I don't want him running "windows" commands such as cmd,
> nbtstat, dir
> > > > > > > etc. I just want to "limit" him to what is available in
> /bin I guess.
> > > > > > >
> > > > > > > Am I going about this wrong? Is there a cygwin/openssh
> implemenation
> > > > > > > that "stands alone" from windows so I could set up a sftp
> server much
> > > > > > > like a normal ftp server?
> > > > > > >
> > > > > > > Thanks in advance,
> > > > > > > Johnny
>
> --
> http://cs.nyu.edu/~pechtcha/
> <http://cs.nyu.edu/%7Epechtcha/>
> |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu
> ZZZzz /,`.-'`' -. ;-;;,_ igor AT watson DOT ibm DOT com
> |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D.
> '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
>
> "I have since come to realize that being between your mentor and his
> route
> to the bathroom is a major career booster." -- Patrick Naughton
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -