Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

Suggestion for openssh

  

 
OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


phribbr at gmail

Feb 7, 2012, 4:04 AM

Post #1 of 7 (609 views)
Permalink
Suggestion for openssh
Hi!

I do not know if it's the ideal place, but I'm sending some suggestion.
Always use openssh and its enormous features.

- I needed to create an environment with only sftp access and thus used:

- Match User suporte
ForceCommand / usr / lib / openssh / sftp-server

OK! It worked perfectly! But only sftp.

- Create an environment with only blocking the ssh, but scp and sftp
access, I used:
- Rssh;
- Mysecureshell;
- Scponly.
Work, but change my SHELL, and also created another
environment for authentication and this is not good.


So I suggest to you developers the following idea:
- Create the following options to sshd_config:
- DenyCmdssh
- DenyCmdscp
- DenyCmdsftp
All three options above with default value "no".
If I want to scp access only could perform the following configuration.

- Match User suporte
DenyCmdssh yes
DenyCmdsftp yes
DenyCmdscp no

I see that being possible the inclusion of these options, it would kill
commands
rssh, scponly and mysecureshell and the whole configuration of openssh would
just
in / etc / ssh / sshd_config.

I imagine that working with ChrootDirectory...

OK! This was just a suggestion!
And thank you for openssh.

Thank you!
Paulo Henrique Ribeiro
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


peter at stuge

Feb 7, 2012, 6:24 AM

Post #2 of 7 (605 views)
Permalink
Re: Suggestion for openssh [In reply to]
Paulo wrote:
> I see that being possible the inclusion of these options, it would
> kill commands rssh, scponly and mysecureshell and the whole
> configuration of openssh would just in / etc / ssh / sshd_config.

Mh, it's not so easy. Best stick with internal-sftp and chroot for
your support.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


nkadel at gmail

Feb 7, 2012, 7:07 AM

Post #3 of 7 (598 views)
Permalink
Re: Suggestion for openssh [In reply to]
On Tue, Feb 7, 2012 at 9:24 AM, Peter Stuge <peter [at] stuge> wrote:
> Paulo wrote:
>> I see that being possible the inclusion of these options, it would
>> kill commands rssh, scponly and mysecureshell and the whole
>> configuration of openssh would just in / etc / ssh / sshd_config.
>
> Mh, it's not so easy. Best stick with internal-sftp and chroot for
> your support.

What are you actually trying to achieve? Safe upload/download
repositories without shell access or filesysem access except in the
relevant direcotry
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


phribbr at gmail

Feb 7, 2012, 11:38 AM

Post #4 of 7 (607 views)
Permalink
Re: Suggestion for openssh [In reply to]
I know this is hard....
I do not have idea how to do it, but imagine the difficulty.

I use many ways for acess to ssh.
- Some users can acess by ssh normally.
- Others can just by sftp (I'd like scp, but without rssh, mysecureshell,
scponly) and with chroot, just for transfers.
- Others acounts are blocked in DennyHost, but should login by "su -
[user].
- Denny users login, but allow authentication(Example: command bbcp use ssh
authentication).
- etc...
I already use another tools for this, with ssh.

Remember, this is just one suggestion.
Thanks!
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


mouring at offwriting

Feb 7, 2012, 12:43 PM

Post #5 of 7 (594 views)
Permalink
Re: Suggestion for openssh [In reply to]
On Feb 7, 2012, at 6:04 AM, Paulo wrote:

> Hi!
>
> I do not know if it's the ideal place, but I'm sending some suggestion.
> Always use openssh and its enormous features.
>
> - I needed to create an environment with only sftp access and thus used:
>
> - Match User suporte
> ForceCommand / usr / lib / openssh / sftp-server
>
> OK! It worked perfectly! But only sftp.
>
> - Create an environment with only blocking the ssh, but scp and sftp
> access, I used:
> - Rssh;
> - Mysecureshell;
> - Scponly.
> Work, but change my SHELL, and also created another
> environment for authentication and this is not good.
>
>
> So I suggest to you developers the following idea:
> - Create the following options to sshd_config:
> - DenyCmdssh
> - DenyCmdscp

This is kinda bogus.. "scp" is just a normal program. All the scp command
does is the moral equiv of:

tar -cvf .. | ssh .. tar -xvf

So that deny command isn't possible unless you are looking to block the whole
ability to run remote commands. Which has been discussed and the decision
was long ago to let it be a shell level issue. As there is no really good way of
handling this. Even if the user has a normal shell they can still bluff this behavior
via expect scripts.

> - DenyCmdsftp

This is also bogus because if you deny "sftp" but allow "scp" one can still
do: sftp -1 ... which will act like how scp works by ignoring the subsystem
definitions.

It would be more useful to allow "Subsystem" be allowed in a 'Match' section and
ensure 'Subsystem sftp none' or such to remove it from the user's valid subsystem
support.

Still, not useful to deny subsystems if you still give them access to run remote commands.


> All three options above with default value "no".
> If I want to scp access only could perform the following configuration.
>
> - Match User suporte
> DenyCmdssh yes
> DenyCmdsftp yes
> DenyCmdscp no

I see above as why this wouldn't block "scp" and why you really need to do it via the
shell level.

You can look through the history of this mailinglist. This isn't the first time this has come up,
and I doubt it will be the last, but in truth this isn't a problem that can be neatly solved in
sshd and there are times it is just better to manage it via 3rd party tools.

- Ben

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


john.m.olsson at ericsson

Feb 7, 2012, 11:21 PM

Post #6 of 7 (594 views)
Permalink
RE: Suggestion for openssh [In reply to]
Ben Lindstrom wrote:
> It would be more useful to allow "Subsystem" be allowed in a
> 'Match' section and ensure 'Subsystem sftp none' or such to
> remove it from the user's valid subsystem support.

I'm strongly in favor of such an enhancement of OpenSSH. This would also allow for setting a chroot jail per individual subsystem. E.g. sftp chroot:ed but not ssh. :)

See also https://bugzilla.mindrot.org/show_bug.cgi?id=1975


/John

-----Original Message-----
From: openssh-unix-dev-bounces+john.m.olsson=ericsson.com [at] mindrot [mailto:openssh-unix-dev-bounces+john.m.olsson=ericsson.com [at] mindrot] On Behalf Of Ben Lindstrom
Sent: den 7 februari 2012 21:44
To: paulo.henrique [at] cptec
Cc: openssh-unix-dev [at] mindrot
Subject: Re: Suggestion for openssh


On Feb 7, 2012, at 6:04 AM, Paulo wrote:

> Hi!
>
> I do not know if it's the ideal place, but I'm sending some suggestion.
> Always use openssh and its enormous features.
>
> - I needed to create an environment with only sftp access and thus used:
>
> - Match User suporte
> ForceCommand / usr / lib / openssh / sftp-server
>
> OK! It worked perfectly! But only sftp.
>
> - Create an environment with only blocking the ssh, but scp and sftp
> access, I used:
> - Rssh;
> - Mysecureshell;
> - Scponly.
> Work, but change my SHELL, and also created another
> environment for authentication and this is not good.
>
>
> So I suggest to you developers the following idea:
> - Create the following options to sshd_config:
> - DenyCmdssh
> - DenyCmdscp

This is kinda bogus.. "scp" is just a normal program. All the scp command does is the moral equiv of:

tar -cvf .. | ssh .. tar -xvf

So that deny command isn't possible unless you are looking to block the whole ability to run remote commands. Which has been discussed and the decision was long ago to let it be a shell level issue. As there is no really good way of handling this. Even if the user has a normal shell they can still bluff this behavior via expect scripts.

> - DenyCmdsftp

This is also bogus because if you deny "sftp" but allow "scp" one can still
do: sftp -1 ... which will act like how scp works by ignoring the subsystem
definitions.


Still, not useful to deny subsystems if you still give them access to run remote commands.


> All three options above with default value "no".
> If I want to scp access only could perform the following configuration.
>
> - Match User suporte
> DenyCmdssh yes
> DenyCmdsftp yes
> DenyCmdscp no

I see above as why this wouldn't block "scp" and why you really need to do it via the shell level.

You can look through the history of this mailinglist. This isn't the first time this has come up, and I doubt it will be the last, but in truth this isn't a problem that can be neatly solved in sshd and there are times it is just better to manage it via 3rd party tools.

- Ben

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


mouring at offwriting

Feb 8, 2012, 6:11 AM

Post #7 of 7 (584 views)
Permalink
Re: Suggestion for openssh [In reply to]
On Feb 8, 2012, at 1:21 AM, John Olsson M wrote:

> Ben Lindstrom wrote:
>> It would be more useful to allow "Subsystem" be allowed in a
>> 'Match' section and ensure 'Subsystem sftp none' or such to
>> remove it from the user's valid subsystem support.
>
> I'm strongly in favor of such an enhancement of OpenSSH. This would also allow for setting a chroot jail per individual subsystem. E.g. sftp chroot:ed but not ssh. :)
>
> See also https://bugzilla.mindrot.org/show_bug.cgi?id=1975

Completely a different thing then what was being discussed. What was being discussed was allowing say:

Match User mouring
Subsystem sftp none
Subsystem custom /usr/local/bin/custome_subsystem


Not a "Match Subsystem ..."

- Ben
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.