telnet shell access within domain & remote sftp but no remote ssh/telnet shell access!

telnet shell access within domain & remote sftp but no remote ssh/telnet shell access!

Post by Lauri Faloo » Wed, 15 Nov 2000 04:00:00



The title explains it all! My configure should accomplish the following:

- no remote telnet/ssh access
- remote sftp
- shell access (telnet) within domain

What is the best way to do it?

Yours truly,
Lauri Faloon

    Lauri> What is the best way to configure openssh or the commercial
    Lauri> ssh-server to not permit shell logins but only scp/sftp
    Lauri> -connections?

If the accounts are not used for anything else, then set their shells to
be a program which only runs the appropriate server.  This is tricky with
scp1; see

  http://www.snailbook.com/faq/restricted-scp.auto.html

for details, or if you can't set the account shells like that.

--
  Richard Silverman

 
 
 

telnet shell access within domain & remote sftp but no remote ssh/telnet shell access!

Post by Richard E. Silverm » Tue, 21 Nov 2000 14:54:50



> The title explains it all! My configure should accomplish the following:
> - no remote telnet/ssh access
> - remote sftp
> - shell access (telnet) within domain

> What is the best way to do it?

As is spelled out in the faq I pointed you at, sftp *requires* "ssh"
access, at least to run the sftp server.  So you're trying to restrict
which commands can be run on the basis of the connection source IP
address.  None of the available SSH servers does exactly this.  I think
your most reliable and secure option would be to write a custom wrapper
for the shell, which examines the SSH_CLIENT etc. environment variables
and decides what to allow based on that.

You could use different keys for access from the different locations, with
the "from" option.  However, it then gets very complicated to ensure the
user can't alter that (again as discussed in that faq document).

--
  Richard Silverman


 
 
 

1. Remote system attempting to access LSA Shell ??

What is the LSA Shell (export version). I keep being told by Norton Personal
Firewall that a remote sytem is attempting to access it but I don't know
whether to allow or block it.

The following information may be helpful:

Application: C:\WINDOWS\System32\lsass.exe
Protocol: UDP (Inbound)
Remote Address: 204.251.216.70 : isakmp (500)
Local Address: 0.0.0.0 : isakmp (500)

Thanks in advance.
greg.

2. News readers that don't suck.

3. Blocking shell access without blocking scp/sftp

4. Cisco Router 1003

5. SFTP access without a shell

6. Several more questions, very misc.

7. ssh to remote network, then telnet OK?

8. WinPoet DSL and SP1 Release Problems

9. Blocking port 25 telnet access on firewall & still receiving email

10. Run windump from a command shell on a remote machine

11. fd 2 not open on some remote shells with OpenSSH

12. remote shell before firewall

13. Windump - running on a remote command shell