This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
RE: michael's openssh for windows
- From: Vince Hoffman <Vince dot Hoffman at uk dot circle dot com>
- To: "'cygwin at cygwin dot com'" <cygwin at cygwin dot com>, Mark Priest <mark dot priest at computer dot org>
- Cc: jwaterbrook <jwaterbrook at keyww dot com>
- Date: Wed, 13 Aug 2003 09:45:09 +0100
- Subject: RE: michael's openssh for windows
Sorry to say that chrooting ssh/sftp doesnt seem too small a task, I had a
look at http://chrootssh.sourceforge.net/docs/chrootedsftp.html
but wasnt too sure how relevent this was to cygwin and decided i would live
without it till i had time to play more.
I'd be interested if you get it going though. ;)
Vince
> -----Original Message-----
> From: Igor Pechtchanski [mailto:pechtcha@cs.nyu.edu]
> Sent: 13 August 2003 04:27
> To: Mark Priest
> Cc: jwaterbrook; cygwin@cygwin.com
> Subject: Re: michael's openssh for windows
>
>
> Mark,
>
> The chroot approach, if he could get it working (which I
> couldn't in the
> 20 or so minutes I've allocated for it) would prevent seeing
> directories
> outside of the selected root. Using scp (without chroot)
> will not prevent
> anyone from accessing a file in a known location (e.g.,
> /cygdrive/c/WINNT/system32/cmd.exe).
>
> I'm not sure there is a way to turn off the /cygdrive mode of
> drive access
> altogether. It might be useful to be able to do that (there's always
> mounts if drive access is really needed). This, however,
> doesn't concern
> me enough to work on implementing it just now. Others are
> welcome to try,
> of course.
> Igor
>
> On Tue, 12 Aug 2003, Mark Priest wrote:
>
> > Would it help if you used scp instead of sftp? The nature
> of sftp alows you
> > to browse directories while scp does not.
> >
> > -Mark
> >
> > ----- Original Message -----
> > From: "jwaterbrook" <jwaterbrook@keyww.com>
> > To: <cygwin@cygwin.com>
> > Sent: Tuesday, August 12, 2003 7:36 PM
> > Subject: Re: michael's openssh for windows
> >
> > > "Ssh passes no parameters to the login shell by default"
> > > This is exactly what was confusing me. Thank you for clarifying.
> > > I redirected $* to a file and logged in different ways,
> sftp gave me
> > > output as you said, so this part of it works now.
> > >
> > > I looked at chroot, but I can't seem to get it to take.
> > > Where/how can I include this in my sftponly script?
> > > I don't think DENY ACL's is an option in this
> distribuition. Any info
> > > on it would also be helpful
> > >
> > > Thanks,
> > > Johnny
> > >
> > >
> > > Igor Pechtchanski wrote:
> > >
> > > > Johnny,
> > > >
> > > > Ssh passes no parameters to the login shell by default
> (as your output
> > > > clearly shows). You have to check for the parameters
> passed by other
> > > > programs, like sftp (make sure you don't print things
> to stdout, as
> > > > they'll be interpreted as program messages -- better
> redirect the output
> > > > to some log file). FYI, I was able to restrict ssh
> access to sftp
> > > > only by
> > > > using the following script as the login shell:
> > > >
> > > > =================== CUT HERE ===================
> > > > #!/bin/sh
> > > > echo Parameters: "$@" >> /tmp/sshlogin.log
> > > > if [ "$*" != "-c /usr/sbin/sftp-server" ]; then
> > > > echo "Sorry, sftp only!"
> > > > exit 1
> > > > fi
> > > > exec /bin/bash "$@"
> > > > =================== CUT HERE ===================
> > > >
> > > > Checking /tmp/sshlogin.log after trying to use other
> programs with ssh
> > > > (e.g., cvs) should give you an idea of what exact
> parameters they pass,
> > > > and accomodate them in your script if need be.
> > > >
> > > > BTW, one important thing to know is that the above
> script *will not*
> > > > prevent anyone from accessing
> /cygdrive/c/WINNT/system32, for example.
> > > > If you want that kind of access restrictions, look at
> the "chroot"
> > > > utility
> > > > ("man chroot") or use DENY ACLs.
> > > > Igor
> > > >
> > > > On Tue, 12 Aug 2003, jwaterbrook wrote:
> > > >
> > > > > I decided to give that a shot, however, as I
> expected, that gave no
> > > > > output either.
> > > > > ---OUTPUT---
> > > > > Last login: Tue Aug 12 10:50:24 2003 from xxxx.yyyy.com
> > > > > Parameters:
> > > > > $
> > > > > ---END OUTPUT---
> > > > >
> > > > > Somehow, nothing is getting passed. Like I said
> before, it could be
> > > > the
> > > > > distribution. If anyone has any free time, download
> it and see what
> > > > I'm
> > > > > talking about.
> > > > > It's such a wonderful quick solution, It would be
> nice to get this
> > > > so it
> > > > > can act as a "substitute" for a normal ftp server
> (and even better for
> > > > > some cases only using a single port).
> > > > >
> > > > > Adieu,
> > > > > Johnny
> > > > >
> > > > > Igor Pechtchanski wrote:
> > > > >
> > > > > > You might try to change that script to
> > > > > >
> > > > > > #!/bin/sh
> > > > > > echo "Parameters: $@"
> > > > > > exec /bin/sh "$@"
> > > > > >
> > > > > > Hope this helps,
> > > > > > Igor
> > > > > > On Tue, 12 Aug 2003, jwaterbrook wrote:
> > > > > >
> > > > > > > A comment about the script method:
> > > > > > >
> > > > > > > for some reason, this didn't seem to return any result.
> > > > > > > I added /usr/bin/sftponly to the passwd file
> instead of /bin/sh or
> > > > > > > /bin/switch
> > > > > > > and created a /usr/bin/sftponly file with this inside:
> > > > > > > #!/bin/sh
> > > > > > >
> > > > > > > echo "$*"
> > > > > > >
> > > > > > > /bin/sh
> > > > > > >
> > > > > > > however, this did not create any output. So I
> have a feeling,
> > > > nothing
> > > > > > > is being passed in this build.
> > > > > > >
> > > > > > > I may be going at this the wrong way, so if
> anyone would like to
> > > > correct
> > > > > > > me, please do so.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Johnny
> > > > > > >
> > > > > > >
> > > > > > > Igor Pechtchanski wrote:
> > > > > > >
> > > > > > > > The thread starting at
> > > > > > > > <http://cygwin.com/ml/cygwin/2003-07/msg01379.html>
> > > > > > > > might be of help.
> > > > > > > > Igor
> > > > > > > >
> > > > > > > > On Mon, 11 Aug 2003, jwaterbrook wrote:
> > > > > > > >
> > > > > > > > > I haven't seemed to get very far with this,
> > > > > > > > > I was hoping someone might be able to point a
> blind man in
> > > > the right
> > > > > > > > > direction
> > > > > > > > >
> > > > > > > > > Waterbrook, Johnny wrote:
> > > > > > > > >
> > > > > > > > > > I'd prefer not to start a new thread, but I've been
> > > > searching for the
> > > > > > > > > > past few hours with no luck.
> > > > > > > > > >
> > > > > > > > > > I needed a fast way to set up sftp on a
> winXP box, so I
> > > > did a little
> > > > > > > > > > google search and found
> lexa.mckenna.edu/sshwindows/ had a
> > > > clean and
> > > > > > > > > > easy way of doing this.
> > > > > > > > > > I changed the regestry setting "/home" to a
> different
> > > > drive, and the
> > > > > > > > > > passwd file's entry form :/home/USERNAME:
> to :/home: so
> > > > when my "auts
> > > > > > > > > > ex-uncle" wants to login to my sftp server,
> they can't
> > > > browse my windows
> > > > > > > > > > directory structure.
> > > > > > > > > >
> > > > > > > > > > However, when my "aunts ex-uncle" realizes
> he can also ssh
> > > > into the box,
> > > > > > > > > > I don't want him running "windows" commands
> such as cmd,
> > > > nbtstat, dir
> > > > > > > > > > etc. I just want to "limit" him to what is
> available in
> > > > /bin I guess.
> > > > > > > > > >
> > > > > > > > > > Am I going about this wrong? Is there a
> cygwin/openssh
> > > > implemenation
> > > > > > > > > > that "stands alone" from windows so I could
> set up a sftp
> > > > server much
> > > > > > > > > > like a normal ftp server?
> > > > > > > > > >
> > > > > > > > > > Thanks in advance,
> > > > > > > > > > Johnny
>
> --
> http://cs.nyu.edu/~pechtcha/
> |\ _,,,---,,_ pechtcha@cs.nyu.edu
> ZZZzz /,`.-'`' -. ;-;;,_ igor@watson.ibm.com
> |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D.
> '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
>
> "I have since come to realize that being between your mentor
> and his route
> to the bathroom is a major career booster." -- Patrick Naughton
>
>
> --
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
> Problem reports: http://cygwin.com/problems.html
> Documentation: http://cygwin.com/docs.html
> FAQ: http://cygwin.com/faq/
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/