Jon Spriggs <> wrote on Tuesday, June 26, 2007 1:02 PM: Yeah, I already got some replies from the mentioned list, I tried them out. Didn't work. For now I think I'll skip ssh on windows and just go with the easier-to-setup shhd on a Fedora Core-webserver I have running at home. Seems a lot easier... Can't believe MS hasn't done anything about this for IIS over the years. 8-/ Will look into CopSSH later. Seems like the technique using this is similar to "ssh for windows" with the addition of some scripts and stuff out-of-the-box. Promising, but we'll see. Thx for the hint though. 8-) PS. From what I've seen with sshd on linux, the "normal" users can traverse directories there as well, except they can't view/edit sensitive files like shadow and such. However I'm not sure if normal users seeing the contents of passwd and groups is ok. Seems a bit, well, you know, bad... DS. > Hi Sorin, > > I see you've already asked on the list I was going to recommend! > > I can strongly recommend using COPSSH[1] rather than SSHWindows... the > SSHWindows project seemed to have stalled, whereas CopSSH is an active > project (partially because I've contributed to it). I can't see a CHROOT > Jail patch having been committed to this project, but I've found the author > of the project was very amenable to making changes. > > Regards, > > Jon > > [1] http://www.itefix.no > > > On 25/06/07, Sorin Srbu < sorin.srbu@xxxxxxxxxxxxx > <mailto:sorin.srbu@xxxxxxxxxxxxx> > wrote: > > Hi all, > > Anybody using this "mini-cygwin" ssh implementation for windows; > http://sourceforge.net/projects/sshwindows? Have a problem with it... > > I installed ssh for windows on a win2k3 sp2 DC and it seems to work as > expected. > > Using WinSCP to access the ssh server works excellent also. > > Only problem is that when I login with a test domain user-account (which > has no real priv's on the domain except for the home-folder which is a > upload shared folder on the DFS for a number of people) this user can > access and see all the files in <c:\program files\openssh> including the > passwd-file. > > I don't feel this is a good idea. Any hints on as how to solve this? I > tried to remove list ntfs-rights and so on to the whole openssh-folder, > but this only resulted in my test-account couldn't login at all. > > I then reset the rights as they were before, but removed all > non-priviliegied account rights to the etc-folder. This seems to work and > the user is not allowed to view the passwd and all files in the etc-folder. > > Next I tried the same thing with the bin-folder in order to disallow use of > makepasswd.exe and makegroup.exe, but this again disabled login of my > test-account. > > So, currently I'm stuck with a no-access etc-folder for regular users, > which I think is a really ugly way to do things. > > Is there some other cleaner way to disallow access to "normal" users when > they click the "/" in WinSCP? > > TIA. > > > -- > > BW, > > Sorin > > # Sorin Srbu, Systems Engineer Web: http://www.orgfarm.uu.se > # Dept of Medicinal Chemistry, Phone: +46 (0)18-4714482 >3 signals> GSM > # Div of Org Pharm Chem, Mobile: +46 (0)701-718023 > # Box 574, Uppsala University, Fax: +46 (0)18-4714482 > # SE-751 23 Uppsala, Sweden Visit: BMC, Husargatan 3, D5:512b > # > # () ASCII ribbon campaign - Against html E-mail > # /\ > # > # Harmless tagline follows: > # > # Some things Man was never meant to know. For everything else, there's > Google. > > > > ***************************** > New Site from The Kenzig Group! > Windows Vista Links, list options > and info are available at: > http://www.VistaPop.com > ***************************** > To Unsubscribe, set digest or vacation > mode or view archives use the below link. > > http://thethin.net/win2000list.cfm ***************************** New Site from The Kenzig Group! Windows Vista Links, list options and info are available at: http://www.VistaPop.com ***************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm