I'm currently fighting a losing battle to restrict SSH client access to my
server, and I thought I would pass along my thoughts to the developers of
lsh and any other SSH clones. (And if anyone has fought this battle and
won, I'd love to hear about it!)
As I see it, SSH provides 6 general features:
1) ftp
2) Remote copy
3) Remote login
4) Remote command execution
5) TCP port forwarding
6) X11 forwarding
Because my interest in SSH is in providing encrypted file transfers to and
from a specific directory, I'm trying to restrict all of the above except
for #2, and even that only within the client's home directory.
However, the developers of SSH do not appear to have contemplated this
need. I can disable 5 and 6 at compile time, and I can use restricted bash
to make #3 relatively harmless. I can remove the sftp-server to eliminate
#1, but that breaks #2 as well. Neither #1 nor #4 seem to use the shell
defined in /etc/passwd.
Anyway, any suggestions are welcome, and I would suggest that developers
allow the sysadmin to restrict the feature set. I would also suggest that
features 1-4, if implemented, use the shell defined in /etc/passwd!
-John Daily
[EMAIL PROTECTED]
