Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs
Date: Tue, 12 Aug 2003 20:44:33 -0400 (EDT)
From: Igor Pechtchanski <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: jwaterbrook <jwaterbrook AT keyww DOT com>
cc: cygwin AT cygwin DOT com
Subject: Re: michael's openssh for windows
In-Reply-To: <3F3979FB.7050108@keyww.com>
Message-ID: <Pine.GSO.4.44.0308122042590.8046-100000@slinky.cs.nyu.edu>
Importance: Normal
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Glad I could help.  chroot is tricky to set up, you might want to search
the net for some working examples.  DENY ACLs are a feature of WinNT-based
systems (Win2k, WinXP, etc) -- they are not a feature of Cygwin proper.
	Igor

On Tue, 12 Aug 2003, jwaterbrook wrote:

> "Ssh passes no parameters to the login shell by default"
> This is exactly what was confusing me.  Thank you for clarifying.
> I redirected $* to a file and logged in different ways, sftp gave me
> output as you said, so this part of it works now.
>
> I looked at chroot, but I can't seem to get it to take.
> Where/how can I include this in my sftponly script?
> I don't think DENY ACL's is an option in this distribuition.  Any info
> on it would also be helpful
>
> Thanks,
> Johnny
>
>
> Igor Pechtchanski wrote:
>
> > Johnny,
> >
> > Ssh passes no parameters to the login shell by default (as your output
> > clearly shows).  You have to check for the parameters passed by other
> > programs, like sftp (make sure you don't print things to stdout, as
> > they'll be interpreted as program messages -- better redirect the output
> > to some log file).  FYI, I was able to restrict ssh access to sftp
> > only by
> > using the following script as the login shell:
> >
> > =================== CUT HERE ===================
> > #!/bin/sh
> > echo Parameters: "$@" >> /tmp/sshlogin.log
> > if [ "$*" != "-c /usr/sbin/sftp-server" ]; then
> >    echo "Sorry, sftp only!"
> >    exit 1
> > fi
> > exec /bin/bash "$@"
> > =================== CUT HERE ===================
> >
> > Checking /tmp/sshlogin.log after trying to use other programs with ssh
> > (e.g., cvs) should give you an idea of what exact parameters they pass,
> > and accomodate them in your script if need be.
> >
> > BTW, one important thing to know is that the above script *will not*
> > prevent anyone from accessing /cygdrive/c/WINNT/system32, for example.
> > If you want that kind of access restrictions, look at the "chroot"
> > utility
> > ("man chroot") or use DENY ACLs.
> >         Igor
> >
> > On Tue, 12 Aug 2003, jwaterbrook wrote:
> >
> > > I decided to give that a shot, however, as I expected, that gave no
> > > output either.
> > > ---OUTPUT---
> > > Last login: Tue Aug 12 10:50:24 2003 from xxxx.yyyy.com
> > > Parameters:
> > > $
> > > ---END OUTPUT---
> > >
> > > Somehow, nothing is getting passed.  Like I said before, it could be
> > the
> > > distribution.  If anyone has any free time, download it and see what
> > I'm
> > > talking about.
> > > It's such a wonderful quick solution, It would be nice to get this
> > so it
> > > can act as a "substitute" for a normal ftp server (and even better for
> > > some cases only using a single port).
> > >
> > > Adieu,
> > > Johnny
> > >
> > > Igor Pechtchanski wrote:
> > >
> > > > You might try to change that script to
> > > >
> > > > #!/bin/sh
> > > > echo "Parameters: $@"
> > > > exec /bin/sh "$@"
> > > >
> > > > Hope this helps,
> > > >         Igor
> > > > On Tue, 12 Aug 2003, jwaterbrook wrote:
> > > >
> > > > >  A comment about the script method:
> > > > >
> > > > > for some reason, this didn't seem to return any result.
> > > > > I added /usr/bin/sftponly to the passwd file instead of /bin/sh or
> > > > > /bin/switch
> > > > > and created a /usr/bin/sftponly file with this inside:
> > > > > #!/bin/sh
> > > > >
> > > > > echo "$*"
> > > > >
> > > > > /bin/sh
> > > > >
> > > > > however, this did not create any output.  So I have a feeling,
> > nothing
> > > > > is being passed in this build.
> > > > >
> > > > > I may be going at this the wrong way, so if anyone would like to
> > correct
> > > > > me, please do so.
> > > > >
> > > > > Thanks,
> > > > > Johnny
> > > > >
> > > > >
> > > > > Igor Pechtchanski wrote:
> > > > >
> > > > > > The thread starting at
> > > > > > <http://cygwin.com/ml/cygwin/2003-07/msg01379.html>
> > > > > > might be of help.
> > > > > >         Igor
> > > > > >
> > > > > > On Mon, 11 Aug 2003, jwaterbrook wrote:
> > > > > >
> > > > > > > I haven't seemed to get very far with this,
> > > > > > > I was hoping someone might be able to point a blind man in
> > the right
> > > > > > > direction
> > > > > > >
> > > > > > > Waterbrook, Johnny wrote:
> > > > > > >
> > > > > > > > I'd prefer not to start a new thread, but I've been
> > searching for the
> > > > > > > > past few hours with no luck.
> > > > > > > >
> > > > > > > > I needed a fast way to set up sftp on a winXP box, so I
> > did a little
> > > > > > > > google search and found lexa.mckenna.edu/sshwindows/ had a
> > clean and
> > > > > > > > easy way of doing this.
> > > > > > > > I changed the regestry setting "/home" to a different
> > drive, and the
> > > > > > > > passwd file's entry form :/home/USERNAME: to :/home: so
> > when my "auts
> > > > > > > > ex-uncle" wants to login to my sftp server, they can't
> > browse my windows
> > > > > > > > directory structure.
> > > > > > > >
> > > > > > > > However, when my "aunts ex-uncle" realizes he can also ssh
> > into the box,
> > > > > > > > I don't want him running "windows" commands such as cmd,
> > nbtstat, dir
> > > > > > > > etc.  I just want to "limit" him to what is available in
> > /bin I guess.
> > > > > > > >
> > > > > > > > Am I going about this wrong?  Is there a cygwin/openssh
> > implemenation
> > > > > > > > that "stands alone" from windows so I could set up a sftp
> > server much
> > > > > > > > like a normal ftp server?
> > > > > > > >
> > > > > > > > Thanks in advance,
> > > > > > > > Johnny

-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/