RE: only sftp please

From: Johnson, Michael <Michael.Johnson.03_at_**********.***>
Date: Wed Oct 22 2003 - 11:25:15 EDT

To disable port forwarding, add "AllowTcpForwarding no" to sshd_config in
the etc directory.

>From the sshd_config(5) manpage:

AllowTcpForwarding
             Specifies whether TCP forwarding is permitted. The default is
             ``yes''. Note that disabling TCP forwarding does not improve
se-
             curity unless users are also denied shell access, as they can
al-
             ways install their own forwarders.

 -Michael
  http://lexa.mckenna.edu/sshwindows/

-----Original Message-----
From: David Howe [mailto:DaveHowe@cmn.sharp-uk.co.uk]
Sent: Wednesday, October 22, 2003 5:23 AM
To: Secure Shell Discussions
Subject: Re: only sftp please

Johnson, Michael wrote:
> Or just put an invalid shell in the shell line (/bin/nologon
> perhaps?). Note that I have not tested this before sending, but I
> remember seeing it work before. SCP might be affected (I believe it
> needs a shell, but I could be wrong), but SFTP should not be affected.
as (perhaps) an aside - I change the shell on my sftp-only users to
/bin/passwd - this allows them to change their passwords if they want to by
sshing to the box instead of using sftp :)
I have noticed however that the alternate shell method does not prevent them
from using tunnels.... still, one step at a time :) 

--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives:    http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Go to
http://tech.erdelynet.com/mailman/options/ssh-l/michael.johnson.03@mckenna.e
du
If you don't know your password, have it emailed to you. Then unsubscribe.
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.F-Secure.com/
--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives:    http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Go to http://tech.erdelynet.com/mailman/options/ssh-l/ssh-archives@krusty.erdelynet.com
If you don't know your password, have it emailed to you. Then unsubscribe.
Received on Wed Oct 22 11:30:10 2003

This archive was generated by hypermail 2.1.8 : Fri Jul 29 2005 - 17:34:00 EDT