[scponly] protecting ~/.ssh
Paul Hyder
Paul.Hyder at noaa.gov
Fri Apr 8 09:27:11 EDT 2005
We use OpenSSH and modify the sshd.config to move the authorized hosts
(public keys) to a location above the chroot point. Since the ssh
connection happens before scponlyc does the chroot this means that you
don't need the .ssh directory in the jail. [I'm told that not all ssh
implementations permit this but if it is available the control it
provides for both normal and scponly ssh access is worth considering.]
Paul Hyder
NOAA Forecast Systems Lab
Boulder, CO
----- Original Message -----
From: Dimitri Papadopoulos-Orfanos <papadopo at shfj.cea.fr>
Date: Friday, April 8, 2005 4:06 am
Subject: [scponly] protecting ~/.ssh
> Hi,
>
> I've read on the list's archive and elsewhere that users should be
> prevented from modifying the contents of their ~/.ssh directory.
> See for
> example:
> https://lists.ccs.neu.edu/pipermail/scponly/2005-February/000711.html
>
> While I understand why, I'm not sure how to enforce this. Apart
> from the
> following filesystem-specific command, is there any other way?
> chattr +i ~/.ssh
>
> Note that having non-writable home directories does not look like
> a
> solution, since a ~/.ssh subdirectory is already present and has
> to
> belong to the user, with specific permissions.
>
> Dimitri Papadopoulos
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
>
More information about the scponly
mailing list