Jon Spriggs <> wrote on Tuesday, June 26, 2007 1:02 PM:
Yeah, I already got some replies from the mentioned list, I tried them
out.
Didn't work. For now I think I'll skip ssh on windows and just go with the
easier-to-setup shhd on a Fedora Core-webserver I have running at home.
Seems
a lot easier... Can't believe MS hasn't done anything about this for IIS
over
the years. 8-/
Will look into CopSSH later. Seems like the technique using this is
similar to
"ssh for windows" with the addition of some scripts and stuff
out-of-the-box.
Promising, but we'll see.
Thx for the hint though. 8-)
PS. From what I've seen with sshd on linux, the "normal" users can
traverse
directories there as well, except they can't view/edit sensitive files
like
shadow and such. However I'm not sure if normal users seeing the contents
of
passwd and groups is ok. Seems a bit, well, you know, bad... DS.
> Hi Sorin,
>
> I see you've already asked on the list I was going to recommend!
>
> I can strongly recommend using COPSSH[1] rather than SSHWindows... the
> SSHWindows project seemed to have stalled, whereas CopSSH is an active
> project (partially because I've contributed to it). I can't see a CHROOT
> Jail patch having been committed to this project, but I've found the
author
> of the project was very amenable to making changes.
>
> Regards,
>
> Jon
>
> [1] http://www.itefix.no
>
>
> On 25/06/07, Sorin Srbu < sorin.srbu@xxxxxxxxxxxxx
> <mailto:sorin.srbu@xxxxxxxxxxxxx> > wrote:
>
> Hi all,
>
> Anybody using this "mini-cygwin" ssh implementation for windows;
> http://sourceforge.net/projects/sshwindows? Have a problem with
it...
>
> I installed ssh for windows on a win2k3 sp2 DC and it seems to
work as
> expected.
>
> Using WinSCP to access the ssh server works excellent also.
>
> Only problem is that when I login with a test domain user-account
(which
> has no real priv's on the domain except for the home-folder which
is a
> upload shared folder on the DFS for a number of people) this user
can
> access and see all the files in <c:\program files\openssh>
including
the
> passwd-file.
>
> I don't feel this is a good idea. Any hints on as how to solve
this? I
> tried to remove list ntfs-rights and so on to the whole
openssh-folder,
> but this only resulted in my test-account couldn't login at all.
>
> I then reset the rights as they were before, but removed all
> non-priviliegied account rights to the etc-folder. This seems to
work
and
> the user is not allowed to view the passwd and all files in the
etc-folder.
>
> Next I tried the same thing with the bin-folder in order to
disallow
use of
> makepasswd.exe and makegroup.exe, but this again disabled login of
my
> test-account.
>
> So, currently I'm stuck with a no-access etc-folder for regular
users,
> which I think is a really ugly way to do things.
>
> Is there some other cleaner way to disallow access to "normal"
users
when
> they click the "/" in WinSCP?
>
> TIA.
>
>
> --
>
> BW,
>
> Sorin
>
> # Sorin Srbu, Systems Engineer Web: http://www.orgfarm.uu.se
> # Dept of Medicinal Chemistry, Phone: +46 (0)18-4714482 >3
signals>
GSM
> # Div of Org Pharm Chem, Mobile: +46 (0)701-718023
> # Box 574, Uppsala University, Fax: +46 (0)18-4714482
> # SE-751 23 Uppsala, Sweden Visit: BMC, Husargatan 3, D5:512b
> #
> # () ASCII ribbon campaign - Against html E-mail
> # /\
> #
> # Harmless tagline follows:
> #
> # Some things Man was never meant to know. For everything else,
there's
> Google.
>
>
>
> *****************************
> New Site from The Kenzig Group!
> Windows Vista Links, list options
> and info are available at:
> http://www.VistaPop.com
> *****************************
> To Unsubscribe, set digest or vacation
> mode or view archives use the below link.
>
> http://thethin.net/win2000list.cfm
*****************************
New Site from The Kenzig Group!
Windows Vista Links, list options
and info are available at:
http://www.VistaPop.com
*****************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
