On Tue, 19 Jun 2001 09:25:02 +0300, Shachar Shemesh <[EMAIL PROTECTED]> wrote:
>
> Create a shell that accepts not input and gives no output. Create a user
> (one user) that has no valid password (or a shared password to all your
> users - that may also work). You are already 3/4 done.
Actually the shell should respond to input by a "help message" and allow
a way to logout gracefully (e.g. by typing "bye").
> All that is left is for you to take a public key from each of your
> users, and tell this dummy user that that public key is allowed to log
> in. By not placing the user's shell in /etc/shells you can prevent login
> via FTP (actually - this is not neccesary, as the user has no valid
> password).
>
> Thus you have a list of users, who can authenticate with the machine for
> port forwarding purposes, but can do nothing else. You have individual
> control over the users (i.e. - they do not all use the same password),
> and yet it only takes one real user on the machine.
Thank you for the advice, I'll add users to the general pool that way.
One other thing. To increase security each key should be preceded by
permitopen option commands to restrict port forwarding.
Ehud.
--
Ehud Karni Mivtach - Simon Insurance /"\
Tel: +972-3-6212-757 Fax: +972-3-6292-544 \ / ASCII Ribbon Campaign
(USA) Fax and voice mail: 1-815-5509341 X Against HTML Mail
Better Safe Than Sorry / \
mailto:[EMAIL PROTECTED] http://www.simonwiesel.co.il
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
