Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <3F3979FB.7050108@keyww.com>
Date: Tue, 12 Aug 2003 16:36:27 -0700
From: jwaterbrook <jwaterbrook AT keyww DOT com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624
X-Accept-Language: en
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: michael's openssh for windows
References: <Pine DOT GSO DOT 4 DOT 44 DOT 0308121721560 DOT 3223-100000 AT slinky DOT cs DOT nyu DOT edu>
In-Reply-To: <Pine.GSO.4.44.0308121721560.3223-100000@slinky.cs.nyu.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 12 Aug 2003 23:36:28.0221 (UTC) FILETIME=[8D36DED0:01C3612A]

"Ssh passes no parameters to the login shell by default"
This is exactly what was confusing me.  Thank you for clarifying.
I redirected $* to a file and logged in different ways, sftp gave me 
output as you said, so this part of it works now.

I looked at chroot, but I can't seem to get it to take.
Where/how can I include this in my sftponly script?
I don't think DENY ACL's is an option in this distribuition.  Any info 
on it would also be helpful

Thanks,
Johnny


Igor Pechtchanski wrote:

> Johnny,
>
> Ssh passes no parameters to the login shell by default (as your output
> clearly shows).  You have to check for the parameters passed by other
> programs, like sftp (make sure you don't print things to stdout, as
> they'll be interpreted as program messages -- better redirect the output
> to some log file).  FYI, I was able to restrict ssh access to sftp 
> only by
> using the following script as the login shell:
>
> =================== CUT HERE ===================
> #!/bin/sh
> echo Parameters: "$@" >> /tmp/sshlogin.log
> if [ "$*" != "-c /usr/sbin/sftp-server" ]; then
>    echo "Sorry, sftp only!"
>    exit 1
> fi
> exec /bin/bash "$@"
> =================== CUT HERE ===================
>
> Checking /tmp/sshlogin.log after trying to use other programs with ssh
> (e.g., cvs) should give you an idea of what exact parameters they pass,
> and accomodate them in your script if need be.
>
> BTW, one important thing to know is that the above script *will not*
> prevent anyone from accessing /cygdrive/c/WINNT/system32, for example.
> If you want that kind of access restrictions, look at the "chroot" 
> utility
> ("man chroot") or use DENY ACLs.
>         Igor
>
> On Tue, 12 Aug 2003, jwaterbrook wrote:
>
> > I decided to give that a shot, however, as I expected, that gave no
> > output either.
> > ---OUTPUT---
> > Last login: Tue Aug 12 10:50:24 2003 from xxxx.yyyy.com
> > Parameters:
> > $
> > ---END OUTPUT---
> >
> > Somehow, nothing is getting passed.  Like I said before, it could be 
> the
> > distribution.  If anyone has any free time, download it and see what 
> I'm
> > talking about.
> > It's such a wonderful quick solution, It would be nice to get this 
> so it
> > can act as a "substitute" for a normal ftp server (and even better for
> > some cases only using a single port).
> >
> > Adieu,
> > Johnny
> >
> > Igor Pechtchanski wrote:
> >
> > > You might try to change that script to
> > >
> > > #!/bin/sh
> > > echo "Parameters: $@"
> > > exec /bin/sh "$@"
> > >
> > > Hope this helps,
> > >         Igor
> > > On Tue, 12 Aug 2003, jwaterbrook wrote:
> > >
> > > >  A comment about the script method:
> > > >
> > > > for some reason, this didn't seem to return any result.
> > > > I added /usr/bin/sftponly to the passwd file instead of /bin/sh or
> > > > /bin/switch
> > > > and created a /usr/bin/sftponly file with this inside:
> > > > #!/bin/sh
> > > >
> > > > echo "$*"
> > > >
> > > > /bin/sh
> > > >
> > > > however, this did not create any output.  So I have a feeling, 
> nothing
> > > > is being passed in this build.
> > > >
> > > > I may be going at this the wrong way, so if anyone would like to 
> correct
> > > > me, please do so.
> > > >
> > > > Thanks,
> > > > Johnny
> > > >
> > > >
> > > > Igor Pechtchanski wrote:
> > > >
> > > > > The thread starting at
> > > > > <http://cygwin.com/ml/cygwin/2003-07/msg01379.html>
> > > > > might be of help.
> > > > >         Igor
> > > > >
> > > > > On Mon, 11 Aug 2003, jwaterbrook wrote:
> > > > >
> > > > > > I haven't seemed to get very far with this,
> > > > > > I was hoping someone might be able to point a blind man in 
> the right
> > > > > > direction
> > > > > >
> > > > > > Waterbrook, Johnny wrote:
> > > > > >
> > > > > > > I'd prefer not to start a new thread, but I've been 
> searching for the
> > > > > > > past few hours with no luck.
> > > > > > >
> > > > > > > I needed a fast way to set up sftp on a winXP box, so I 
> did a little
> > > > > > > google search and found lexa.mckenna.edu/sshwindows/ had a 
> clean and
> > > > > > > easy way of doing this.
> > > > > > > I changed the regestry setting "/home" to a different 
> drive, and the
> > > > > > > passwd file's entry form :/home/USERNAME: to :/home: so 
> when my "auts
> > > > > > > ex-uncle" wants to login to my sftp server, they can't 
> browse my windows
> > > > > > > directory structure.
> > > > > > >
> > > > > > > However, when my "aunts ex-uncle" realizes he can also ssh 
> into the box,
> > > > > > > I don't want him running "windows" commands such as cmd, 
> nbtstat, dir
> > > > > > > etc.  I just want to "limit" him to what is available in 
> /bin I guess.
> > > > > > >
> > > > > > > Am I going about this wrong?  Is there a cygwin/openssh 
> implemenation
> > > > > > > that "stands alone" from windows so I could set up a sftp 
> server much
> > > > > > > like a normal ftp server?
> > > > > > >
> > > > > > > Thanks in advance,
> > > > > > > Johnny
>
> -- 
>                                 http://cs.nyu.edu/~pechtcha/ 
> <http://cs.nyu.edu/%7Epechtcha/>
>       |\      _,,,---,,_                pechtcha AT cs DOT nyu DOT edu
> ZZZzz /,`.-'`'    -.  ;-;;,_            igor AT watson DOT ibm DOT com
>      |,4-  ) )-,_. ,\ (  `'-'           Igor Pechtchanski, Ph.D.
>     '---''(_/--'  `-'\_) fL     a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!
>
> "I have since come to realize that being between your mentor and his 
> route
> to the bathroom is a major career booster."  -- Patrick Naughton
>


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/