HowTo Disable execution of commands whit ssh and scp/sftp
Bevan C. Bennett
bevan at fulcrummicro.com
Thu Mar 11 18:08:17 UTC 2004
Dario Lesca wrote:
> Hi, someone know howto disable the execution of any command via ssh and
> disable the scp/sftp service?
>
> OK; ssh user at host
> NO: ssh user at host cat /etc/passwd
> NO: scp user at host:/etc/passwd /tmp
> NO: sftp user at host
>
> Many thanks!
>
The last one is easy. Remove the following line from /etc/ssh/sshd_config:
Subsystem sftp /usr/libexec/openssh/sftp-server
The others may just not be possible.
If a user can ssh in, then type 'cat /etc/passwd' at their normal
prompt, there is no way to prevent them from just doing 'ssh user at host
cat /etc/passwd'.
Since /etc/passwd still usually needs to be world readable, you just
aren't going to be able to prevent people from reading it (unless you
get into some fancy new SELinux-fu). Note that you should save password
hashes in /etc/shadow (which isn't readable by users) in any case.
If you -really- want to do this, you might be able to do it my assigning
those users a special shell with a wrapper that exits immediately if the
session is not an 'interactive' shell. I haven't tested this, but It
should work for at least the first 'NO' case, and possibly for the scp
as well.
More information about the fedora-list
mailing list