[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Security options :-(
From: |
Douglas Finkle |
Subject: |
RE: Security options :-( |
Date: |
Tue, 17 Dec 2002 11:31:29 -0500 |
> > > That is, cvsphil can't login from the console, from telnet,
> > > rlogin, etc. I think this is mainly done by setting his
> login shell to
> > > "/sbin/nologin" or the equivalent.
> >
> > You'll also need to configure cvsphil such that he can only
> log on with
> > a particular keypair. Otherwise, what stops phil from using the su
> > command to sidestep this elaborate configuration?
>
> [/home/mzieg] mzieg $ grep cvsmark /etc/passwd
> cvsmark:x:510:510:CVS-only account for Mark
> Zieg:/home/cvsmark:/sbin/nologin
>
> [/home/mzieg] mzieg $ su cvsmark
> Password:
> This account is currently not available.
>
> [/home/mzieg] mzieg $ su cvsmark -c "ls /usr/local/cvsroot"
> Password:
> This account is currently not available.
AFAIK, ssh requires a real shell-- but you can disable passwd
auth at the os and application layer. This is my recollection
of how it worked on solaris. I am presently doing this along w/
restricting the ssh key usage to a single command-- only difference
is I allow *no* logins on the cvs server at all, except at the
admin level.