Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs Date: Tue, 12 Aug 2003 20:44:33 -0400 (EDT) From: Igor Pechtchanski Reply-To: cygwin AT cygwin DOT com To: jwaterbrook cc: cygwin AT cygwin DOT com Subject: Re: michael's openssh for windows In-Reply-To: <3F3979FB.7050108@keyww.com> Message-ID: Importance: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Glad I could help. chroot is tricky to set up, you might want to search the net for some working examples. DENY ACLs are a feature of WinNT-based systems (Win2k, WinXP, etc) -- they are not a feature of Cygwin proper. Igor On Tue, 12 Aug 2003, jwaterbrook wrote: > "Ssh passes no parameters to the login shell by default" > This is exactly what was confusing me. Thank you for clarifying. > I redirected $* to a file and logged in different ways, sftp gave me > output as you said, so this part of it works now. > > I looked at chroot, but I can't seem to get it to take. > Where/how can I include this in my sftponly script? > I don't think DENY ACL's is an option in this distribuition. Any info > on it would also be helpful > > Thanks, > Johnny > > > Igor Pechtchanski wrote: > > > Johnny, > > > > Ssh passes no parameters to the login shell by default (as your output > > clearly shows). You have to check for the parameters passed by other > > programs, like sftp (make sure you don't print things to stdout, as > > they'll be interpreted as program messages -- better redirect the output > > to some log file). FYI, I was able to restrict ssh access to sftp > > only by > > using the following script as the login shell: > > > > =================== CUT HERE =================== > > #!/bin/sh > > echo Parameters: "$@" >> /tmp/sshlogin.log > > if [ "$*" != "-c /usr/sbin/sftp-server" ]; then > > echo "Sorry, sftp only!" > > exit 1 > > fi > > exec /bin/bash "$@" > > =================== CUT HERE =================== > > > > Checking /tmp/sshlogin.log after trying to use other programs with ssh > > (e.g., cvs) should give you an idea of what exact parameters they pass, > > and accomodate them in your script if need be. > > > > BTW, one important thing to know is that the above script *will not* > > prevent anyone from accessing /cygdrive/c/WINNT/system32, for example. > > If you want that kind of access restrictions, look at the "chroot" > > utility > > ("man chroot") or use DENY ACLs. > > Igor > > > > On Tue, 12 Aug 2003, jwaterbrook wrote: > > > > > I decided to give that a shot, however, as I expected, that gave no > > > output either. > > > ---OUTPUT--- > > > Last login: Tue Aug 12 10:50:24 2003 from xxxx.yyyy.com > > > Parameters: > > > $ > > > ---END OUTPUT--- > > > > > > Somehow, nothing is getting passed. Like I said before, it could be > > the > > > distribution. If anyone has any free time, download it and see what > > I'm > > > talking about. > > > It's such a wonderful quick solution, It would be nice to get this > > so it > > > can act as a "substitute" for a normal ftp server (and even better for > > > some cases only using a single port). > > > > > > Adieu, > > > Johnny > > > > > > Igor Pechtchanski wrote: > > > > > > > You might try to change that script to > > > > > > > > #!/bin/sh > > > > echo "Parameters: $@" > > > > exec /bin/sh "$@" > > > > > > > > Hope this helps, > > > > Igor > > > > On Tue, 12 Aug 2003, jwaterbrook wrote: > > > > > > > > > A comment about the script method: > > > > > > > > > > for some reason, this didn't seem to return any result. > > > > > I added /usr/bin/sftponly to the passwd file instead of /bin/sh or > > > > > /bin/switch > > > > > and created a /usr/bin/sftponly file with this inside: > > > > > #!/bin/sh > > > > > > > > > > echo "$*" > > > > > > > > > > /bin/sh > > > > > > > > > > however, this did not create any output. So I have a feeling, > > nothing > > > > > is being passed in this build. > > > > > > > > > > I may be going at this the wrong way, so if anyone would like to > > correct > > > > > me, please do so. > > > > > > > > > > Thanks, > > > > > Johnny > > > > > > > > > > > > > > > Igor Pechtchanski wrote: > > > > > > > > > > > The thread starting at > > > > > > > > > > > > might be of help. > > > > > > Igor > > > > > > > > > > > > On Mon, 11 Aug 2003, jwaterbrook wrote: > > > > > > > > > > > > > I haven't seemed to get very far with this, > > > > > > > I was hoping someone might be able to point a blind man in > > the right > > > > > > > direction > > > > > > > > > > > > > > Waterbrook, Johnny wrote: > > > > > > > > > > > > > > > I'd prefer not to start a new thread, but I've been > > searching for the > > > > > > > > past few hours with no luck. > > > > > > > > > > > > > > > > I needed a fast way to set up sftp on a winXP box, so I > > did a little > > > > > > > > google search and found lexa.mckenna.edu/sshwindows/ had a > > clean and > > > > > > > > easy way of doing this. > > > > > > > > I changed the regestry setting "/home" to a different > > drive, and the > > > > > > > > passwd file's entry form :/home/USERNAME: to :/home: so > > when my "auts > > > > > > > > ex-uncle" wants to login to my sftp server, they can't > > browse my windows > > > > > > > > directory structure. > > > > > > > > > > > > > > > > However, when my "aunts ex-uncle" realizes he can also ssh > > into the box, > > > > > > > > I don't want him running "windows" commands such as cmd, > > nbtstat, dir > > > > > > > > etc. I just want to "limit" him to what is available in > > /bin I guess. > > > > > > > > > > > > > > > > Am I going about this wrong? Is there a cygwin/openssh > > implemenation > > > > > > > > that "stands alone" from windows so I could set up a sftp > > server much > > > > > > > > like a normal ftp server? > > > > > > > > > > > > > > > > Thanks in advance, > > > > > > > > Johnny -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu ZZZzz /,`.-'`' -. ;-;;,_ igor AT watson DOT ibm DOT com |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D. '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! "I have since come to realize that being between your mentor and his route to the bathroom is a major career booster." -- Patrick Naughton -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/