[clue-admin] Please review Member Accounts Plan on the wiki
Collins Richey
crichey at gmail.com
Wed Jan 5 22:50:30 MST 2005
On Wed, 05 Jan 2005 18:48:01 -0700, David Anselmi <anselmi at anselmi.us> wrote:
> Collins Richey wrote:
> > Unless there are valid objections, this is how I plan to proceed with
> > membership accounts. Please review and post you comments in this
> > thread.
>
> What would it take to support rsync in addition to sftp?
Hmm? I haven't found any limited shells with that capability, other
than the obvious "real" shells which we don't want to support. If you
know of such a beast, we could consider it. I'll do some
experimentation.
> Could the
> command option in authorized_keys be used to restrict members to a small
> set of commands (rsync, sftp, scp)?
I'm not familiar with this. Would this require an actual login shell?
> Will ssh work if the member doesn't
> have write permission on authorized_keys (which may mean he doesn't own
> it either)?
>
It does work for me with the 'junk' test user I setup. OTOH, I believe
this is a leftover from when we were thinking about a (restricted)
login shell. Perhaps we could drop this requirement.
But, after reading about the authorized_keys file, it would seem that
users with write access to this file could insert keys with almost any
command and thus subvert the security setup? Would you comment on
this, please. Could this be used to get a "real" shell on the account?
Thanks for the comments.
--
Collins
More information about the clue-admin
mailing list