Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <3500515B75D9D311948800508BA37955014BDED9@EX-LONDON>
From: Vince Hoffman <Vince DOT Hoffman AT uk DOT circle DOT com>
To: "'cygwin AT cygwin DOT com'" <cygwin AT cygwin DOT com>,
   Mark Priest
	 <mark DOT priest AT computer DOT org>
Cc: jwaterbrook <jwaterbrook AT keyww DOT com>
Subject: RE: michael's openssh for windows
Date: Wed, 13 Aug 2003 09:45:09 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"

Sorry to say that chrooting ssh/sftp doesnt seem too small a task, I had a
look at http://chrootssh.sourceforge.net/docs/chrootedsftp.html
but wasnt too sure how relevent this was to cygwin and decided i would live
without it till i had time to play more.
I'd be interested if you get it going though. ;) 
Vince

> -----Original Message-----
> From: Igor Pechtchanski [mailto:pechtcha AT cs DOT nyu DOT edu]
> Sent: 13 August 2003 04:27
> To: Mark Priest
> Cc: jwaterbrook; cygwin AT cygwin DOT com
> Subject: Re: michael's openssh for windows
> 
> 
> Mark,
> 
> The chroot approach, if he could get it working (which I 
> couldn't in the
> 20 or so minutes I've allocated for it) would prevent seeing 
> directories
> outside of the selected root.  Using scp (without chroot) 
> will not prevent
> anyone from accessing a file in a known location (e.g.,
> /cygdrive/c/WINNT/system32/cmd.exe).
> 
> I'm not sure there is a way to turn off the /cygdrive mode of 
> drive access
> altogether.  It might be useful to be able to do that (there's always
> mounts if drive access is really needed).  This, however, 
> doesn't concern
> me enough to work on implementing it just now.  Others are 
> welcome to try,
> of course.
> 	Igor
> 
> On Tue, 12 Aug 2003, Mark Priest wrote:
> 
> > Would it help if you used scp instead of sftp?  The nature 
> of sftp alows you
> > to browse directories while scp does not.
> >
> > -Mark
> >
> > ----- Original Message -----
> > From: "jwaterbrook" <jwaterbrook AT keyww DOT com>
> > To: <cygwin AT cygwin DOT com>
> > Sent: Tuesday, August 12, 2003 7:36 PM
> > Subject: Re: michael's openssh for windows
> >
> > > "Ssh passes no parameters to the login shell by default"
> > > This is exactly what was confusing me.  Thank you for clarifying.
> > > I redirected $* to a file and logged in different ways, 
> sftp gave me
> > > output as you said, so this part of it works now.
> > >
> > > I looked at chroot, but I can't seem to get it to take.
> > > Where/how can I include this in my sftponly script?
> > > I don't think DENY ACL's is an option in this 
> distribuition.  Any info
> > > on it would also be helpful
> > >
> > > Thanks,
> > > Johnny
> > >
> > >
> > > Igor Pechtchanski wrote:
> > >
> > > > Johnny,
> > > >
> > > > Ssh passes no parameters to the login shell by default 
> (as your output
> > > > clearly shows).  You have to check for the parameters 
> passed by other
> > > > programs, like sftp (make sure you don't print things 
> to stdout, as
> > > > they'll be interpreted as program messages -- better 
> redirect the output
> > > > to some log file).  FYI, I was able to restrict ssh 
> access to sftp
> > > > only by
> > > > using the following script as the login shell:
> > > >
> > > > =================== CUT HERE ===================
> > > > #!/bin/sh
> > > > echo Parameters: "$@" >> /tmp/sshlogin.log
> > > > if [ "$*" != "-c /usr/sbin/sftp-server" ]; then
> > > >    echo "Sorry, sftp only!"
> > > >    exit 1
> > > > fi
> > > > exec /bin/bash "$@"
> > > > =================== CUT HERE ===================
> > > >
> > > > Checking /tmp/sshlogin.log after trying to use other 
> programs with ssh
> > > > (e.g., cvs) should give you an idea of what exact 
> parameters they pass,
> > > > and accomodate them in your script if need be.
> > > >
> > > > BTW, one important thing to know is that the above 
> script *will not*
> > > > prevent anyone from accessing 
> /cygdrive/c/WINNT/system32, for example.
> > > > If you want that kind of access restrictions, look at 
> the "chroot"
> > > > utility
> > > > ("man chroot") or use DENY ACLs.
> > > >         Igor
> > > >
> > > > On Tue, 12 Aug 2003, jwaterbrook wrote:
> > > >
> > > > > I decided to give that a shot, however, as I 
> expected, that gave no
> > > > > output either.
> > > > > ---OUTPUT---
> > > > > Last login: Tue Aug 12 10:50:24 2003 from xxxx.yyyy.com
> > > > > Parameters:
> > > > > $
> > > > > ---END OUTPUT---
> > > > >
> > > > > Somehow, nothing is getting passed.  Like I said 
> before, it could be
> > > > the
> > > > > distribution.  If anyone has any free time, download 
> it and see what
> > > > I'm
> > > > > talking about.
> > > > > It's such a wonderful quick solution, It would be 
> nice to get this
> > > > so it
> > > > > can act as a "substitute" for a normal ftp server 
> (and even better for
> > > > > some cases only using a single port).
> > > > >
> > > > > Adieu,
> > > > > Johnny
> > > > >
> > > > > Igor Pechtchanski wrote:
> > > > >
> > > > > > You might try to change that script to
> > > > > >
> > > > > > #!/bin/sh
> > > > > > echo "Parameters: $@"
> > > > > > exec /bin/sh "$@"
> > > > > >
> > > > > > Hope this helps,
> > > > > >         Igor
> > > > > > On Tue, 12 Aug 2003, jwaterbrook wrote:
> > > > > >
> > > > > > >  A comment about the script method:
> > > > > > >
> > > > > > > for some reason, this didn't seem to return any result.
> > > > > > > I added /usr/bin/sftponly to the passwd file 
> instead of /bin/sh or
> > > > > > > /bin/switch
> > > > > > > and created a /usr/bin/sftponly file with this inside:
> > > > > > > #!/bin/sh
> > > > > > >
> > > > > > > echo "$*"
> > > > > > >
> > > > > > > /bin/sh
> > > > > > >
> > > > > > > however, this did not create any output.  So I 
> have a feeling,
> > > > nothing
> > > > > > > is being passed in this build.
> > > > > > >
> > > > > > > I may be going at this the wrong way, so if 
> anyone would like to
> > > > correct
> > > > > > > me, please do so.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Johnny
> > > > > > >
> > > > > > >
> > > > > > > Igor Pechtchanski wrote:
> > > > > > >
> > > > > > > > The thread starting at
> > > > > > > > <http://cygwin.com/ml/cygwin/2003-07/msg01379.html>
> > > > > > > > might be of help.
> > > > > > > >         Igor
> > > > > > > >
> > > > > > > > On Mon, 11 Aug 2003, jwaterbrook wrote:
> > > > > > > >
> > > > > > > > > I haven't seemed to get very far with this,
> > > > > > > > > I was hoping someone might be able to point a 
> blind man in
> > > > the right
> > > > > > > > > direction
> > > > > > > > >
> > > > > > > > > Waterbrook, Johnny wrote:
> > > > > > > > >
> > > > > > > > > > I'd prefer not to start a new thread, but I've been
> > > > searching for the
> > > > > > > > > > past few hours with no luck.
> > > > > > > > > >
> > > > > > > > > > I needed a fast way to set up sftp on a 
> winXP box, so I
> > > > did a little
> > > > > > > > > > google search and found 
> lexa.mckenna.edu/sshwindows/ had a
> > > > clean and
> > > > > > > > > > easy way of doing this.
> > > > > > > > > > I changed the regestry setting "/home" to a 
> different
> > > > drive, and the
> > > > > > > > > > passwd file's entry form :/home/USERNAME: 
> to :/home: so
> > > > when my "auts
> > > > > > > > > > ex-uncle" wants to login to my sftp server, 
> they can't
> > > > browse my windows
> > > > > > > > > > directory structure.
> > > > > > > > > >
> > > > > > > > > > However, when my "aunts ex-uncle" realizes 
> he can also ssh
> > > > into the box,
> > > > > > > > > > I don't want him running "windows" commands 
> such as cmd,
> > > > nbtstat, dir
> > > > > > > > > > etc.  I just want to "limit" him to what is 
> available in
> > > > /bin I guess.
> > > > > > > > > >
> > > > > > > > > > Am I going about this wrong?  Is there a 
> cygwin/openssh
> > > > implemenation
> > > > > > > > > > that "stands alone" from windows so I could 
> set up a sftp
> > > > server much
> > > > > > > > > > like a normal ftp server?
> > > > > > > > > >
> > > > > > > > > > Thanks in advance,
> > > > > > > > > > Johnny
> 
> -- 
> 				http://cs.nyu.edu/~pechtcha/
>       |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
> ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
>      |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
>     '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!
> 
> "I have since come to realize that being between your mentor 
> and his route
> to the bathroom is a major career booster."  -- Patrick Naughton
> 
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/