Mail Archives: cygwin/2007/03/01/09:55:29
On Thu, Mar 01, 2007 at 04:28:15PM +0200, Ehud Karni wrote:
>On Tue, 27 Feb 2007 19:37:25, Francis wrote:
>>I am running a OpenSSH server for some friends on my machine, and I was
>>hoping to disable access to /cygdrive (local drives.) Is there a way to
>>prevent them from modifying any files also? this is intended just as a
>>SSH tunneling method to get us around some Websense.
>
>I have restricted ssh users to a some directory with some commands only
>on GNU/Linux by using `chroot' and restricted shell (bash). This won't
>work on Cygwin, because there is no `chroot' jail (not supported by the
>underlying OS).
>
>You have 2 options:
>1. Use the /etc/passwd to specify your own shell which will check the
> input and execute only the allowed commands (by being filter to a
> shell or by calling `system').
>
>2. Use cgf advice and restrict the ssh user to one command only (by the
> authorized_keys file which will be a filter (same as in 1). This has
> some drawbacks on Cygwin (unlike UNIX), but for your purpose it is
> not significant.
Cygwin emulates chroot so, depending on your needs, it may be adequate
although since, as noted, it isn't handled at the OS level, it is not
foolproof.
I still think that the best solution is to only allow tunneling and
disallow other commands. Looking at the documentation for sshd_config,
another option is to use "ForceCommand" option in sshd_config, possibly
in conjunction with the "Match" keyword.
"man sshd_config" would probably be useful reading.
cgf
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -