From owner-ssh@clinet.fi  Fri May 18 02:09:36 2001
Received: from twilight.cs.hut.fi (twilight.cs.hut.fi [130.233.40.5])
	by hutcs.cs.hut.fi (8.9.3/8.9.3) with ESMTP id CAA28245
	for <ssh-archiver@cs.hut.fi>; Fri, 18 May 2001 02:09:36 +0300 (EET DST)
Received: from smtp1.clinet.fi ([194.100.2.57]:1430 "HELO smtp1.clinet.fi")
	by mail.niksula.cs.hut.fi with SMTP id <S20973562AbREQXIt>;
	Fri, 18 May 2001 02:08:49 +0300
Received: from mail.clinet.fi (mail.clinet.fi [194.100.0.7])
	by smtp1.clinet.fi (Postfix) with ESMTP
	id 686D32040E; Fri, 18 May 2001 02:02:33 +0300 (EEST)
Received: (from majordom@localhost)
	by mail.clinet.fi (8.9.3/8.9.3) id BAA22501
	for ssh-outgoing; Fri, 18 May 2001 01:41:38 +0300
Received: from smtp1.clinet.fi (smtp1.clinet.fi [194.100.2.57])
	by mail.clinet.fi (8.9.3/8.9.3) with ESMTP id BAA22497
	for <ssh@clinet.fi>; Fri, 18 May 2001 01:41:37 +0300
Received: from hackers-for-hire.com (unknown [24.114.30.211])
	by smtp1.clinet.fi (Postfix) with ESMTP id CFD81201BC
	for <ssh@clinet.fi>; Fri, 18 May 2001 01:41:36 +0300 (EEST)
Received: from localhost (zak@localhost)
	by hackers-for-hire.com (8.11.0/8.11.0) with ESMTP id f4HMPij19008;
	Thu, 17 May 2001 22:25:45 GMT
Date: 	Thu, 17 May 2001 22:25:44 +0000 (zulu)
From: Zak <zak@hackers-for-hire.com>
To: Jesse Adelman <jesse@denalii.com>
Cc: ssh@clinet.fi, security <security@hackers-for-hire.net>
Subject: Re: No shell access?
In-Reply-To: <HMEMJCIMDNFOOAEFBLDDCEBICAAA.jesse@denalii.com>
Message-ID: <Pine.LNX.4.21.0105172218430.25607-100000@reactor.hackers-for-hire.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-ssh@clinet.fi
Precedence: bulk

On Thu, 17 May 2001, Jesse Adelman wrote:

> Hello, good SSH users and developers. I need to set up SSH such that users
> can scp and sftp but NOT log in to a shell. I've attempted to set a shell as
> /bin/<doesnotexist>, but that breaks SSH generally, including scp and sftp.
> What is the best/preferred method for disabling shell access and allowing
> scp and sftp to work?

I'd make a pseudo-shell program that detects method of invocation and then
permits limited functionality in a chroot() prison. It's be nifty to have
a little custom interface appear for users, and you could log or track
certain stuff. And it'd be secure.

Zak Power ; executive consultant / ZENCOR Technologies International 
TIP # ZAK / SAVE # 674520faefcda17618badce99031d44343d2ddec
zak@hackers-for-hire.net
http://www.hackers-for-hire.net/~zak
599-B Yonge Street #280, Toronto, Ontario, Canada, M4Y-1Z4
(416)-820-3304 extension 220 - LEAVE MESSAGE!

====================================
   HIGH QUALITY HACKERS FOR HIRE!
  http://www.hackers-for-hire.com
    support@hackers-for-hire.com
====================================