a) The new user is asked to login with passwd as opposed to pubkey. This is
surprising as (I thought) that I had set up sshd_config to allow pubkey
authentication only - need to check this again when I get home. Other than a
misconfigured sshd_config could it be anything else that causes this?
If you want to disable password based logons, and only use shared keys,
then change "UsePAM yes" to "UsePAM no".
b) Once logged in via sftp the new user can read and access other users files.
This is because the default permission setting for /home/%u/ is 0644
(rw-r--r--). Is there a clever way of tightening this down without messing
up all home file and directory permissions indiscriminately?
chmod 700 /home/*
I understand that there are many ways to skin a cat - in this case to contain
somewhat what a plain user can and cannot do when they log in via sftp. Some
ideas that I have across are to use a limited shell like rssh, use an ssh
chroot, modify the umask for user directories.
I am interested to find out what you might have tried and what you would
recommend.
If you're that worried about them having shell access, then don't use
sftp. Use encrypted ftp (ftp + tls ... pureftpd provides this) for file
transfers, or even webdav over https.
-Sean
--
[EMAIL PROTECTED] mailing list
