On Mon, 24 Apr 2017 16:36:29 -0600, Paul Gilmartin wrote: >On 2017-04-24, at 16:17, Pew, Curtis G wrote: >>> >>> sftp depends on ssh. But ... is it possible to configure ssh so only the >>> sftp >>> agent, not a shell, is allowed as an ssh agent on the server? >> >> Yes, at least on Linux. We have a server where most of the accounts are >> specified with 'sftp-server' as the login shell, so authorized users can >> drop off or pick up files from those accounts, but cannot run any code. >> >> I haven't tried this on z/OS. >> >From "man ssh" (on Linux): > >NAME > ssh - OpenSSH SSH client (remote login program) > >SYNOPSIS > ssh [-options] [user@]hostname [command] > >DESCRIPTION > ... > If command is specified, it is executed on the remote host instead of a > login shell. > >Note "instead of", providing a circumvention. >
What actually happens is that the account's shell is executed with arguments "-c" and the command text, which means the account's shell is not running as a "login shell". I'm speaking of Linux. I haven't worked with ssh/sshd on z/OS. Bill ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
