- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Restricting users direct access to specific users
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-20-2007 07:10 AM
тАО09-20-2007 07:10 AM
Restricting users direct access to specific users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-20-2007 07:48 AM
тАО09-20-2007 07:48 AM
Re: Restricting users direct access to specific users
but maybe there are some key options that might be helpful.
could you explain a little more about why you want the user to have to su?
is the same user doing the scp and sftp as the one you don't want to be able to login?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-20-2007 07:55 AM
тАО09-20-2007 07:55 AM
Re: Restricting users direct access to specific users
You can set up allowed or denied users for direct login.
Keep in mind that if you do not diable telnet completely they can still sneak in via telnet and circumvent the ssh rules.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-20-2007 04:50 PM
тАО09-20-2007 04:50 PM
Re: Restricting users direct access to specific users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-21-2007 01:53 AM
тАО09-21-2007 01:53 AM
Re: Restricting users direct access to specific users
you can use the no-pty key option to disable interactive login but that still allows commands to be run, as in ssh yourhost 'runmyscript'. If that occurs it is logged by sshd to the log file.
you could use the command option to force which command is run, but then scp won't work.
The best of securing this is to set a separate account to do your file transfers. This account privileges should be limited to just those necessary to do its job.
(to transfer a file all that is needed is read permission on the file and write permission on where the file is going.)
you'll need to keep the account's private key as private as possible (only those that know it could use it to login). separate account, separate home directory (700 perms), separate home/.ssh directory (700 perms), etc.
your probably going to run this out of cron so the account can have its login disabled and it doesn't even need a shell.
use the options on the key in the authorized key file to limit what the key can be used for. use from to only allow the specific user@hosts, and no-pty, no-port-forwarding, no-X11-forwarding, no-agent-forwarding
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-21-2007 03:00 AM
тАО09-21-2007 03:00 AM