![]() profile, does so using the SSH server itself (. This also stops them from doing anything else with the system, and unlike. What this does is make it so that all connections from users in that group open the console app they cannot start anything else, including the sftp server tool. customers) then, in sshd_config, add the following lines: Match Group customers The second way is better: Assign users who should be restricted to the console app to a group (e.g. There are two basic ways to do this: you could restrict them via file permissions, or force them to only execute your console app. Use things designed for security, like the things below, to provide security). profile is that it's for convenience, not security, so it's not intended to restrict the user. profile to restrict users, as that's not what it's for (Edit: As Aleksi mentions in his answer, it is in fact trivial to bypass. The only way to stop them from doing this is to actually restrict their access. This was such a simple thing to do when using a telnet/FTP combination, but now that I want to give the users access from anywhere on the internet, I haven't been able to find a way to shut them out of SFTP, while still allowing them access to the shell where they can run the app.Īs others have mentioned, disabling sftp isn't anywhere near sufficient - a user with unrestricted ssh access can view any file that their account has permissions to view, can modify anything they have permission to modify, and can easily download anything they can read to their own machine. Now here's the problem: If I give the users SSH access, they will also be able to log in using an SFTP client, which will give them direct access to the data directories for the app, which is VERY undesirable, since that will also give them access to the data directories to which they should not have access. Users are granted access to only the clients that they will need access to. Upon startup, the app presents the user with a list of clients that can be accessed through the app, with each client having their own data directory. I only want them to be able to access this console app through the interface provided by it. profile, there is a startup command for the app, and directly after the command that starts it up, there's an "exit" command, which logs them out of the system. I have a console app, and in each user's. However, here's the scenario, and what makes it necessary: I've searched for a viable answer to this question, and most of the answers include advice on why to not do it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |