This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: michael's openssh for windows


"Ssh passes no parameters to the login shell by default"
This is exactly what was confusing me. Thank you for clarifying.
I redirected $* to a file and logged in different ways, sftp gave me output as you said, so this part of it works now.


I looked at chroot, but I can't seem to get it to take.
Where/how can I include this in my sftponly script?
I don't think DENY ACL's is an option in this distribuition. Any info on it would also be helpful


Thanks,
Johnny


Igor Pechtchanski wrote:


Johnny,

Ssh passes no parameters to the login shell by default (as your output
clearly shows). You have to check for the parameters passed by other
programs, like sftp (make sure you don't print things to stdout, as
they'll be interpreted as program messages -- better redirect the output
to some log file). FYI, I was able to restrict ssh access to sftp only by
using the following script as the login shell:


=================== CUT HERE ===================
#!/bin/sh
echo Parameters: "$@" >> /tmp/sshlogin.log
if [ "$*" != "-c /usr/sbin/sftp-server" ]; then
   echo "Sorry, sftp only!"
   exit 1
fi
exec /bin/bash "$@"
=================== CUT HERE ===================

Checking /tmp/sshlogin.log after trying to use other programs with ssh
(e.g., cvs) should give you an idea of what exact parameters they pass,
and accomodate them in your script if need be.

BTW, one important thing to know is that the above script *will not*
prevent anyone from accessing /cygdrive/c/WINNT/system32, for example.
If you want that kind of access restrictions, look at the "chroot" utility
("man chroot") or use DENY ACLs.
Igor


On Tue, 12 Aug 2003, jwaterbrook wrote:

> I decided to give that a shot, however, as I expected, that gave no
> output either.
> ---OUTPUT---
> Last login: Tue Aug 12 10:50:24 2003 from xxxx.yyyy.com
> Parameters:
> $
> ---END OUTPUT---
>
> Somehow, nothing is getting passed. Like I said before, it could be the
> distribution. If anyone has any free time, download it and see what I'm
> talking about.
> It's such a wonderful quick solution, It would be nice to get this so it
> can act as a "substitute" for a normal ftp server (and even better for
> some cases only using a single port).
>
> Adieu,
> Johnny
>
> Igor Pechtchanski wrote:
>
> > You might try to change that script to
> >
> > #!/bin/sh
> > echo "Parameters: $@"
> > exec /bin/sh "$@"
> >
> > Hope this helps,
> > Igor
> > On Tue, 12 Aug 2003, jwaterbrook wrote:
> >
> > > A comment about the script method:
> > >
> > > for some reason, this didn't seem to return any result.
> > > I added /usr/bin/sftponly to the passwd file instead of /bin/sh or
> > > /bin/switch
> > > and created a /usr/bin/sftponly file with this inside:
> > > #!/bin/sh
> > >
> > > echo "$*"
> > >
> > > /bin/sh
> > >
> > > however, this did not create any output. So I have a feeling, nothing
> > > is being passed in this build.
> > >
> > > I may be going at this the wrong way, so if anyone would like to correct
> > > me, please do so.
> > >
> > > Thanks,
> > > Johnny
> > >
> > >
> > > Igor Pechtchanski wrote:
> > >
> > > > The thread starting at
> > > > <http://cygwin.com/ml/cygwin/2003-07/msg01379.html>
> > > > might be of help.
> > > > Igor
> > > >
> > > > On Mon, 11 Aug 2003, jwaterbrook wrote:
> > > >
> > > > > I haven't seemed to get very far with this,
> > > > > I was hoping someone might be able to point a blind man in the right
> > > > > direction
> > > > >
> > > > > Waterbrook, Johnny wrote:
> > > > >
> > > > > > I'd prefer not to start a new thread, but I've been searching for the
> > > > > > past few hours with no luck.
> > > > > >
> > > > > > I needed a fast way to set up sftp on a winXP box, so I did a little
> > > > > > google search and found lexa.mckenna.edu/sshwindows/ had a clean and
> > > > > > easy way of doing this.
> > > > > > I changed the regestry setting "/home" to a different drive, and the
> > > > > > passwd file's entry form :/home/USERNAME: to :/home: so when my "auts
> > > > > > ex-uncle" wants to login to my sftp server, they can't browse my windows
> > > > > > directory structure.
> > > > > >
> > > > > > However, when my "aunts ex-uncle" realizes he can also ssh into the box,
> > > > > > I don't want him running "windows" commands such as cmd, nbtstat, dir
> > > > > > etc. I just want to "limit" him to what is available in /bin I guess.
> > > > > >
> > > > > > Am I going about this wrong? Is there a cygwin/openssh implemenation
> > > > > > that "stands alone" from windows so I could set up a sftp server much
> > > > > > like a normal ftp server?
> > > > > >
> > > > > > Thanks in advance,
> > > > > > Johnny


--
http://cs.nyu.edu/~pechtcha/ <http://cs.nyu.edu/%7Epechtcha/>
|\ _,,,---,,_ pechtcha@cs.nyu.edu
ZZZzz /,`.-'`' -. ;-;;,_ igor@watson.ibm.com
|,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D.
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!


"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster." -- Patrick Naughton




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]