I am currently running OpenSSH 4.3. I would like to restrict the commands SFTP users can run to a list. For example, "put, get, mput, mget, mkdir, rmdir, and rm". Is this possible with OpenSSH? I have seen many posts concerning chroot'ing and the Forced Command option, but none of these solution address restricting the commands actually available inside the SFTP subsystem. Any insight would be greatly appreciated. Thanks, Jason Dickerson
On Mon, 9 Feb 2009, Jason Dickerson wrote:> I am currently running OpenSSH 4.3. I would like to restrict the commands > SFTP users can run to a list. For example, "put, get, mput, mget, mkdir, > rmdir, and rm". Is this possible with OpenSSH? I have seen many posts > concerning chroot'ing and the Forced Command option, but none of these > solution address restricting the commands actually available inside the SFTP > subsystem. Any insight would be greatly appreciated.This isn't supported, or planned. You can perform fairly effective restriction with file/directory permissions alone. -d
Jason Dickerson wrote:> I am currently running OpenSSH 4.3. I would like to restrict the commands > SFTP users can run to a list. For example, "put, get, mput, mget, mkdir, > rmdir, and rm". Is this possible with OpenSSH? I have seen many posts > concerning chroot'ing and the Forced Command option, but none of these > solution address restricting the commands actually available inside the SFTP > subsystem. Any insight would be greatly appreciated. > > Thanks, > > Jason DickersonThe sftp-server application source code is quite simple. It will require a minimal C knowledge to replace the unwanted command handlers with versions that return SSH_FXP_STATUS messages with a SSH_FX_FAILURE code. Modify the source, compile it and install the new application on your server (as /usr/lib/my-sftp-server, for instance) and change the sshd sftp sub-system configuration to use it for all or some users. Cheers, - Salva
Maybe Matching Threads
- smbclient mask command seems not to work the same way with recurse ON for mget and mput
- [Bug 181] Undocumented mget and mput in sftp
- smbclient mask command seems not to work the same way with recurse ON for mget and mput
- mput/mget misbehavior
- smbclient mask command seems not to work the same way with recurse ON for mget and mput