Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs Date: Tue, 12 Aug 2003 17:35:41 -0400 (EDT) From: Igor Pechtchanski Reply-To: cygwin AT cygwin DOT com To: jwaterbrook cc: cygwin AT cygwin DOT com Subject: Re: michael's openssh for windows In-Reply-To: <3F394F47.1090209@keyww.com> Message-ID: Importance: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Johnny, Ssh passes no parameters to the login shell by default (as your output clearly shows). You have to check for the parameters passed by other programs, like sftp (make sure you don't print things to stdout, as they'll be interpreted as program messages -- better redirect the output to some log file). FYI, I was able to restrict ssh access to sftp only by using the following script as the login shell: =================== CUT HERE =================== #!/bin/sh echo Parameters: "$@" >> /tmp/sshlogin.log if [ "$*" != "-c /usr/sbin/sftp-server" ]; then echo "Sorry, sftp only!" exit 1 fi exec /bin/bash "$@" =================== CUT HERE =================== Checking /tmp/sshlogin.log after trying to use other programs with ssh (e.g., cvs) should give you an idea of what exact parameters they pass, and accomodate them in your script if need be. BTW, one important thing to know is that the above script *will not* prevent anyone from accessing /cygdrive/c/WINNT/system32, for example. If you want that kind of access restrictions, look at the "chroot" utility ("man chroot") or use DENY ACLs. Igor On Tue, 12 Aug 2003, jwaterbrook wrote: > I decided to give that a shot, however, as I expected, that gave no > output either. > ---OUTPUT--- > Last login: Tue Aug 12 10:50:24 2003 from xxxx.yyyy.com > Parameters: > $ > ---END OUTPUT--- > > Somehow, nothing is getting passed. Like I said before, it could be the > distribution. If anyone has any free time, download it and see what I'm > talking about. > It's such a wonderful quick solution, It would be nice to get this so it > can act as a "substitute" for a normal ftp server (and even better for > some cases only using a single port). > > Adieu, > Johnny > > Igor Pechtchanski wrote: > > > You might try to change that script to > > > > #!/bin/sh > > echo "Parameters: $@" > > exec /bin/sh "$@" > > > > Hope this helps, > > Igor > > On Tue, 12 Aug 2003, jwaterbrook wrote: > > > > > A comment about the script method: > > > > > > for some reason, this didn't seem to return any result. > > > I added /usr/bin/sftponly to the passwd file instead of /bin/sh or > > > /bin/switch > > > and created a /usr/bin/sftponly file with this inside: > > > #!/bin/sh > > > > > > echo "$*" > > > > > > /bin/sh > > > > > > however, this did not create any output. So I have a feeling, nothing > > > is being passed in this build. > > > > > > I may be going at this the wrong way, so if anyone would like to correct > > > me, please do so. > > > > > > Thanks, > > > Johnny > > > > > > > > > Igor Pechtchanski wrote: > > > > > > > The thread starting at > > > > > > > > might be of help. > > > > Igor > > > > > > > > On Mon, 11 Aug 2003, jwaterbrook wrote: > > > > > > > > > I haven't seemed to get very far with this, > > > > > I was hoping someone might be able to point a blind man in the right > > > > > direction > > > > > > > > > > Waterbrook, Johnny wrote: > > > > > > > > > > > I'd prefer not to start a new thread, but I've been searching for the > > > > > > past few hours with no luck. > > > > > > > > > > > > I needed a fast way to set up sftp on a winXP box, so I did a little > > > > > > google search and found lexa.mckenna.edu/sshwindows/ had a clean and > > > > > > easy way of doing this. > > > > > > I changed the regestry setting "/home" to a different drive, and the > > > > > > passwd file's entry form :/home/USERNAME: to :/home: so when my "auts > > > > > > ex-uncle" wants to login to my sftp server, they can't browse my windows > > > > > > directory structure. > > > > > > > > > > > > However, when my "aunts ex-uncle" realizes he can also ssh into the box, > > > > > > I don't want him running "windows" commands such as cmd, nbtstat, dir > > > > > > etc. I just want to "limit" him to what is available in /bin I guess. > > > > > > > > > > > > Am I going about this wrong? Is there a cygwin/openssh implemenation > > > > > > that "stands alone" from windows so I could set up a sftp server much > > > > > > like a normal ftp server? > > > > > > > > > > > > Thanks in advance, > > > > > > Johnny -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu ZZZzz /,`.-'`' -. ;-;;,_ igor AT watson DOT ibm DOT com |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D. '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! "I have since come to realize that being between your mentor and his route to the bathroom is a major career booster." -- Patrick Naughton -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/