On 2017-04-24, at 16:17, Pew, Curtis G wrote: >> >> sftp depends on ssh. But ... is it possible to configure ssh so only the >> sftp >> agent, not a shell, is allowed as an ssh agent on the server? > > Yes, at least on Linux. We have a server where most of the accounts are > specified with ‘sftp-server’ as the login shell, so authorized users can drop > off or pick up files from those accounts, but cannot run any code. > > I haven’t tried this on z/OS. > From "man ssh" (on Linux):
NAME ssh — OpenSSH SSH client (remote login program) SYNOPSIS ssh [-options] [user@]hostname [command] DESCRIPTION ... If command is specified, it is executed on the remote host instead of a login shell. Note "instead of", providing a circumvention. And, on z/OS, the BPXWUNIX I mentioned earlier. Just don't let "most of the accounts" access/alter critical resources. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN