Displaying 20 results from an estimated 9000 matches similar to: "restricted scp and/or sftp"
2007 Sep 05
3
Chrooting SFTP over SSH2
Hi,
As per the subject line - if I look up setting up chroot jails for SFTP over
SSH2 I'm led to various Web sites and patches and also to a CentOS wiki page
dated 2005, but what's the 'best' or 'correct' way to set this up for Centos
4.5 and 5?
Thanks
2017 Sep 01
3
sftp/scp only without real users
Hi,
my goal: sftp/scp only access, without the need for linux users.
I want to provide 10 sftp/scp directories to 10 people. Let's call this
"virtual account"
I don't want to create linux users for each of them.
I would like to create one linux user (backup_user). In his
home-directory will be 10 directories. For each "virtual account" one
directory.
Every
2019 Jan 23
3
Status of SCP vulnerability
I worked on a proposal like this a few years back (including proof of
concept code).? I taught sftp to have an scp personality (closer to scp2
than scp), and it was rejected by the higher ups.? It may have been the
dual-personality issue, but I know the scp2 concept was also rejected at
the time as it was stated there should be one transfer tool.
But the only way to drag scp into this century
2023 Nov 12
3
restrict file transfer in rsync, scp, sftp?
I am supporting a site that allows members to upload release files. I
have inherited this site which was previously existing. The goal is
to allow members to file transfer to and from their project area for
release distribution but not to allow general shell access and not to
allow access to other parts of the system.
Currently rsync and old scp has been restricted using a restricted
shell
2017 Feb 10
4
Disabling specific commands in sftp
Hi,
On CentOS 7 I?m trying to set up a chrooted SFTP server on which specific users can only read and write on specific folder. And I?d like to disable some commands, so the users can only do ?cd?, ?ls?, ?get? and ?put? (and disabling ?chgrp?, ?chmod?, ?chown?, ?df? etc ?). Is there a way to achieve it, natively or with using a third-party software ?
Alexandre MALDEME
Analyste d'exploitation
2004 Oct 23
1
rssh: pizzacode security alert
PIZZACODE SECURITY ALERT
program: rssh
risk: low[*]
problem: string format vulnerability in log.c
details:
rssh is a restricted shell for use with OpenSSH, allowing only scp
and/or sftp. For example, if you have a server which you only want to
allow users to copy files off of via scp, without providing shell
access, you can use rssh to do that. Additioanlly, running rsync,
rdist, and cvs are
2023 Dec 07
3
Non-shell accounts and scp/sftp
Hi,
We have a CLI that certain users get dropped into when they log in. One of the things they can go is generate certificates (actually .p12 key/certificate bundles) that they will then scp out of the box from another host.
Problem is that if their default shell isn't sh, ash, dash, bash, zsh, etc. then things break. Is there a workaround to allow scp/sftp to continue to work even for
2005 Dec 30
5
rssh: root privilege escalation flaw
Affected Software: rssh - all versions prior to 2.3.0
Vulnerability: local user privilege escalation
Severity: *CRITICAL*
Impact: local users can gain root access
Solution: Please upgrade to v2.3.1
Summary
-------
rssh is a restricted shell which allows a system administrator to
limit users' access to a system via SSH to scp, sftp, rsync, rdist,
and cvs. It also allows the system
2005 Mar 24
1
"ssh user@server /bin/sh" vs "no-pty" option.
Hello List,
Do I get it right that I *MUST* chroot a user first and make
/bin/rssh his shell in the /etc/passwd to effectively restrict him?
There should be no /bin/ksh (or bash) in his jail?
If I do not jail him - no matter what is his passwd shell - he will
be able to issue "ssh user at server /bin/sh" still, right?
--
Best regards,
Anthony mailto:rz1a at
2008 Oct 05
4
Why is -e sent to the remote rsync side?
> $ rsync -e 'ssh -v' lingnu.com:
> OpenSSH_5.1p1 Debian-2, OpenSSL 0.9.8g 19 Oct 2007
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to lingnu.com [199.203.56.105] port 22.
> debug1: Connection established.
...
> debug1: Sending command: rsync --server --sender -de.L .
As we can see, rsync runs ssh, and
2023 Jul 06
1
Subsystem sftp invoked even though forced command created
On 05.07.23 18:01, MCMANUS, MICHAEL P wrote:
> It appears the forced command either does not run or runs to completion
> and exits immediately, as there is no process named "receive.ksh" in
> the process tree.
FWIW, two cents of mine:
-- The script *exiting* should *not* prompt sshd to execute the
requested subsystem "as a second thought", or else it'd happen
2002 Aug 21
1
vulnerabilities in scponly
An embedded and charset-unspecified text was scrubbed...
Name: msg.pgp
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020820/23eb5774/attachment.ksh
2006 Jun 24
1
[PATCH] sftp-server Restricted Access
Hello,
This patch makes it possible to restrict sftp sessions to a certain
subtree of the file system on a per-Unix account basis. It requires a
program such as rssh or scponly to function. A patch for rssh is also
attached to this email.
The method employed uses realpath() and a string comparison to check
that each file or directory access is allowed.
With this patch, sftp-server takes a
2001 May 09
3
"ksh: scp: not found"
I upgraded a compiled version of ssh-1.2.27 to a swinstalled depot of
OpenSSH_2.5.1p1 on HPUX-11.00.
I created links in /usr/local/bin/<ssh program> pointing to
/opt/openssh2/bin/<ssh program>.
Ssh works. Scp does not. HP support does not support ssh.
Below the line you will find the output of a verbose scp command from
the server to it self.
2015 May 02
2
sftp chroot requirements
Hi Damien,
Thank you. I read the rationale.
Just to summarize, a user writeable chroot target is considered
dangerous if:
1) the user has another way of gaining non-chrooted access to the system
2) is able to create hardlinks to setuid-binaries outside of the chroot tree
3) there are bugs somewhere that allow privilige escalation or remote
execution of other programs
While all these
2023 Jul 05
1
Subsystem sftp invoked even though forced command created
On Mon, 3 Jul 2023, Jochen Bern wrote:
> On 30.06.23 17:56, MCMANUS, MICHAEL P wrote:
> > The actual command is similar to the following (parameters inserted to
> > protect the source):
> > (print ${FQDN} ; print ${Environment} ; cat ${OutFileXML}) | \
> > ssh -Ti ${EmbeddedPrivateKey} \
> > -o HostKeyAlias="${Alias}" \
2023 Jul 03
1
Subsystem sftp invoked even though forced command created
On 30.06.23 17:56, MCMANUS, MICHAEL P wrote:
> The actual command is similar to the following (parameters inserted to protect the source):
> (print ${FQDN} ; print ${Environment} ; cat ${OutFileXML}) | \
> ssh -Ti ${EmbeddedPrivateKey} \
> -o HostKeyAlias="${Alias}" \
> -o
2003 Jan 03
0
[patch] chroot support for openssh-3.5p1
Good Morning All,
Attached is a full patch [or so I hope] enabling chroot support for sshd. I know varied opinions about chroot exist
among the masses; however, I continue to believe that until something far outside the scope of openssh tackles the
sandbox issue, the role of enforcer will continue to be with the daemon.
This patch is based on a previous work by John Furman as well as Eric
2007 Jul 27
1
secure user restriction
I am using sftp-server chroot patch:
http://marc.info/?l=openssh-unix-dev&m=116043792120525&w=2
Works fine, except user is able to ssh in box.
I could change users shell to /usr/libexec/sftp-server, but then
chrooting wouldn't work.
What is secure way to accomplish this, so that I could
give friend ssh access, so that he could upload/download stuff, but
not compromise my system or
2023 Jul 05
1
Subsystem sftp invoked even though forced command created
On 05.07.23 02:50, Damien Miller wrote:
> Some possibilities:
> 1. the receive.ksh script is faulty in some way that causes it to invoke
> sftp-server
How would the script even *know* that the client requested the SFTP
subsystem? Is a subsystem's executable/path, supposedly internally
overwritten with the forced command at that point, exposed through
$SSH_ORIGINAL_COMMAND ?