[scponly] ssh server no longer scponly's

Paul Hyder Paul.Hyder at noaa.gov
Thu Feb 10 12:01:47 EST 2005


Very strange.  The ssh authentication and connection process occurs
first and then normally would be executing the shell specified in the
(top level) /etc/password file.  (The chroot and other lock downs
happen in scponlyc when it executes.)  What changes when you activate
LDAP on the server?  It sounds like it no longer uses the shell
information in /etc/password.  Perhaps shell info is also coming
from LDAP?
    Paul Hyder
    NOAA Forecast Systems Lab

----- Original Message -----
From: "Heath Henderson" <hendersonh at unit5.org>
Date: Thursday, February 10, 2005 9:08 am
Subject: Re: [scponly] ssh server no longer scponly's

> It actually works fine for local accounts.  As it should.  
> However, with
> Users Authenticated via LDAP, it no longer works on this one server.
> 
> I can login from another server or from the LDAP server itself and get
> an scponly shell (as I expect).
> 
> 
> 
> Heath Henderson
> Assistant Technology Administrator
> McLean County Unit 5 Schools
> Normal, IL 61761   
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <" 
> target="l">http://www.pgp.com>
> iQQ2CIQ2P2RQOnaUcu3m/jXITE
> =BWZp
> -----END PGP SIGNATURE-----
> 
> 
> >>> "Paul Hyder" <Paul.Hyder at noaa.gov> 2/10/2005 9:45:25 AM >>>
> This sounds like a jail configuration problem.  You sure the top
> level password file has scponlyc as the shell?  How do you test to
> see if there is a shell?  (An "ssh ls" could work as might a few
> ssh commands depending on the exact set of compiled in options but
> a login shouldn't be possible unless the top level password file
> isn't locked down.)
>     Paul Hyder
>     NOAA Forecast Systems Lab
> 
> ----- Original Message -----
> From: "Heath Henderson" <hendersonh at unit5.org>
> Date: Thursday, February 10, 2005 0:17 am
> Subject: [scponly] ssh server no longer scponly's
> 
> > I have an ssh server which up until about 30 minutes ago would allow
> > logins only via WinsCP.  This is just as I had it set.
> > 
> > Server - Fedora C3.  Login via ssh (authentication done to LDAP 
> > server)
> > Everything seems to be working normally, but login via ssh 
> > terminal now
> > allows a shell?  I can login to the Server directly and get the 
> > correctscponly shell denial, but not the ssh server?  Thoughts?  
> > 
> > Heath Henderson
> > Assistant Technology Administrator
> > McLean County Unit 5 Schools
> > Normal, IL 61761   
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 7.0.3 for non-commercial use <" 
> > target="l">" target="l">http://www.pgp.com>
> > iQQ2CIQ2P2RQOnaUcu3m/jXITE
> > =BWZp
> > -----END PGP SIGNATURE-----
> > 
> > 
> > _______________________________________________
> > scponly mailing list
> > scponly at lists.ccs.neu.edu 
> > https://lists.ccs.neu.edu/bin/listinfo/scponly 
> > 
> 
> 




More information about the scponly mailing list