Re: Scp sftp with no shell access or restricted access
I like the idea having a scponly-account. But I'm used to run pure-ftpd and limiting users bandwidth. Is there any way to do this?
Re: Scp sftp with no shell access or restricted access
I have a feeling that might not be very robust if you're allowing sftp or scp to anywhere a user normally has access to - a user could then download their own authorized_keys file, edit it to give themselves shell access, and then upload it. Another option might be to use the Match option in OpenSSH 4.4. I haven't had a chance to play around with 4.4 yet, so please experiment with this. But, something like Match User restricted-user ForceCommand /usr/libexec/sftp-server The advantage here is, you do this once to /etc/sshd_config - the file you're editing is not under a user's control, unlike their authorized_keys file. You'd probably need to add other options in there, disabling port forwarding and such... I have one concern with the above - the forced command is executed with the user's shell, with the -c option. If I'm not mistaken, this will prevent bash from reading any scripts that could be under the user's control. But you'd have to carefully examine the man page for every shell in /etc/shells, and ferret out ways a user might run commands. Maybe either remove shells from /etc/shells, or prevent users from changing their shells altogether. For example, on my OS X system, tcsh still runs the user's ~/.tcshrc, even when run with a -c option. Although I wasn't able to try it with ssh ForceCommand. Perhaps someone else on the list has more complete knowledge of this? Regards Mark On 11/14/06, Greg Bell [EMAIL PROTECTED] wrote: ssh lets you restrict the command a user is allowed to run in the authorized_keys file. mostly unknown feature but very handy. i have found this useful for allowing users to do just one or two things (eg. rsync a particular dir). see http://www.hackinglinuxexposed.com/articles/20030109.html ~gb
Re: Scp sftp with no shell access or restricted access
set the shell of user to /usr/lib/ssh/sftp-server usermod user -s /usr/lib/ssh/sftp-server :D On 11/12/06, Massimo [EMAIL PROTECTED] wrote: Hello, I need to provide users with sftp and scp access to unix servers without the possibility to open a shell on the server. It would also be useful to give user: 1) restricted shell 2) Chroot sftp/scp access I need to do this kind of condiguration on HP-UX, Solaris, Linux AIX. How can I do? Can I do it with standard supported software or do I need external software? Do you have any ideas? Best Regards, Massimo -- -- Thiago LPS C.E.S.A.R - Administrador de Sistemas msn: [EMAIL PROTECTED] 0xx 81 8735 2591 --
Re: Scp sftp with no shell access or restricted access
On Sun, 12 Nov 2006, Massimo wrote: Hello, I need to provide users with sftp and scp access to unix servers without the possibility to open a shell on the server. It would also be useful to give user: 1) restricted shell 2) Chroot sftp/scp access I need to do this kind of condiguration on HP-UX, Solaris, Linux AIX. How can I do? Can I do it with standard supported software or do I need external software? Hallo! I worked with the tool scponly under FreeBSD- its not exactly what you probably want, but comes quite close to that. http://www.sublimation.org/scponly/ HTH Olaf
Re: Scp sftp with no shell access or restricted access
On Sun, Nov 12, 2006 at 02:41:20PM +0100, Massimo wrote: I need to provide users with sftp and scp access to unix servers without the possibility to open a shell on the server. Well, you give some good keywords to search for right in your message: It would also be useful to give user: 1) restricted shell 2) Chroot sftp/scp access I typed those into google and got this search: http://www.google.com/search?hl=enq=restricted+shell+chroot+sftp+scp+accessbtnG=Google+Search The results look like they suit your needs. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D pgpcBiQeK5v2M.pgp Description: PGP signature
Re: Scp sftp with no shell access or restricted access
On 11/12/06, Massimo [EMAIL PROTECTED] wrote: Hello, I need to provide users with sftp and scp access to unix servers without the possibility to open a shell on the server. It would also be useful to give user: 1) restricted shell 2) Chroot sftp/scp access I need to do this kind of condiguration on HP-UX, Solaris, Linux AIX. How can I do? Can I do it with standard supported software or do I need external software? Do you have any ideas? I don't believe OpenSSH can accomplish what your looking for out of box. That said, there are a couple plugins or external software out there that can accomplish what you are looking for. Specifically I know of RSSH and SCPONLY RSSH http://www.pizzashack.org/rssh/ Verified to work on: * A wide variety of Linux distributions, on IA32 and IA64 hardware * Compaq Tru64 Unix * Solaris 2.x - 8 (under certain conditions -- see the security link) * AIX 5.1 * HP/UX 11.00 (PA-RISC) * HP/UX 11.22 (IA64) * Irix 6.5 chroot capable SCPONLY http://sublimation.org/scponly/wiki/index.php/Main_Page -Would assume it works on most Unix/Linux platforms when built from source -chroot capable Hope this helps. --Rob
