[scponly] .ssh
Charles Fry
scponly at frogcircus.org
Wed Feb 11 13:59:16 EST 2004
> I think it's best that scpjailer/chroot_setup.sh don't set $HOME to be
> writable by default since they have no way of knowing how sshd is
> configured. There may also be some other feature (or future feature)
> of OpenSSH that would allow an scponly user to gain more access than
> you intend to give by using his .ssh directory.
>
> Possibly this could be attacked from another angle. For instance, another
> way to block OpenSSH's use of the $HOME/.ssh directory is to create
> $HOME/.ssh as an unmutable empty file (chattr +i .ssh). Then the user
> wouldn't be able to remove it to create a new .ssh directory. Although
> I think chattr is a Linux/ext2 thing so it probably wouldn't be portable.
> Do most systems/filesystems have similar features?
I like the idea. It seems much more flexible than the current
restrictive setup.
Would it not be sufficient for .ssh to be owned by root, and to deny
group and other write permissions?
Charles
--
Life is sweet
But oh how bitter!
To love a gal
And then
Not git 'er
Burma-Shave
http://frogcircus.org/burmashave/1941/life_is_sweet
More information about the scponly
mailing list