This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: SFTP only account

From: Igor Pechtchanski <pechtcha at cs dot nyu dot edu>
To: Tommie Porter <tommie at mcihispeed dot net>
Cc: cygwin at cygwin dot com
Date: Wed, 23 Jul 2003 22:12:45 -0400 (EDT)
Subject: Re: SFTP only account
Reply-to: cygwin at cygwin dot com

On Wed, 23 Jul 2003, Tommie Porter wrote:

> Sorry if this issue has been addressed before, but I can't find any
> instances of it in the archives.
>
> First off, I want to know if it's possible to have an SFTP only account.
> I know it's possible(FTP only) on OpenBSD. If you set their shell to
> /bin/false, they can't log in remotely, but can still FTP in. This isn't
> working for me using SFTP in CYGWIN. If I set their shell to /bin/false,
> I get what I want when they try to SSH in, which is access denied, but
> they can't SFTP in either. So I was wondering if there is a way around
> this, or if there isn't because SFTP is running as a sub-system of SSH.
> Either way, I was hoping somebody has an answer.
>
> Also, when this user SFTP's in, I have it set so that the SFTP user's
> home is my FTP directory. Is there a way to prevent them from getting
> out of this directory(i.e. cd .. or cd /cygwin/c/winnt)?
>
> Regards,
> TP

I believe this has appeared on this list before (except it was for
cvs-only accounts), but I can't seem to find it now, so I'll repeat the
solution here:

Instead of setting the shell to /bin/false, set it to a script that checks
the parameters (e.g., which program is invoked), and quits with a non-zero
return code if the program is not "sftp", for example.  That same script
can also do "chroot"  to your FTP directory, so the user can't get out of
it.  Be sure to set all the relevant shell variables in the script (e.g.,
PATH, IFS, etc).
	Igor
P.S. Well, after I went to the trouble of typing the above, I did find the
original thread: <http://cygwin.com/ml/cygwin/2003-04/msg00317.html>,
included here for completeness' sake.
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- Re: SFTP only account
  - From: Ville Herva

References:
- SFTP only account
  - From: Tommie Porter

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]