Re: HowTo Disable execution of commands whit ssh and scp/sftp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dario Lesca wrote:
Hi, someone know howto disable the execution of any command via ssh and
disable the scp/sftp service?

OK; ssh user@host NO: ssh user@host cat /etc/passwd
NO: scp user@host:/etc/passwd /tmp
NO: sftp user@host


Many thanks!


The last one is easy. Remove the following line from /etc/ssh/sshd_config:

Subsystem       sftp    /usr/libexec/openssh/sftp-server

The others may just not be possible.
If a user can ssh in, then type 'cat /etc/passwd' at their normal prompt, there is no way to prevent them from just doing 'ssh user@host cat /etc/passwd'.


Since /etc/passwd still usually needs to be world readable, you just aren't going to be able to prevent people from reading it (unless you get into some fancy new SELinux-fu). Note that you should save password hashes in /etc/shadow (which isn't readable by users) in any case.

If you -really- want to do this, you might be able to do it my assigning those users a special shell with a wrapper that exits immediately if the session is not an 'interactive' shell. I haven't tested this, but It should work for at least the first 'NO' case, and possibly for the scp as well.




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux