There have been a lot of questions on this list as of late that highlight the following three subjects.
1) Restricted shell access to a limited functionality 2) Automating ( i.e. passwordless access ) 3) SCP bases ssh connections only. Some of the following information is my $.02 worth. Allowing users to cd into another directory, or execute any other function is generally more suited to a function of the shell. There are various paths you can take, an example would be that of the rsh shell or restricted shell. Under Solaris you check out the man page via the command "man -s 1m rsh" or under the GNU version of bash check out the "RESTRICTED SHELL" portion of the bash man pages. The following procedure has been tested under Solaris 7 using the commercial ssh v3.0.1 from ssh.com. I suspect the following procedures will migrate to other platforms or to the openSSH version of the software although I imagine with openSSH you will have quite a few more libraries to copy over and will have to modify the PK config files somewhat. The procedures are however sound. 90% of this can be scripted if you have the $USERHOME variable setup. This does several things, but is desinged to lock down an ssh user. Perfect for allowing files to be uploaded into a directory, without giving them additional access. This does the following. 1) Chroot's them into their home directory 2) Places them into a restricted shell see "man -s 1M rsh" 3) They cannot cd into a different directory 4) They can only execute programs in their $USERHOME/bin directory ( but not place new ones there ) 5) Allows them to upload files into their directory, however they cannot execute them. 6) As an option, you can limit them to scp only in the last few steps. --------------------------------STEPS-------------------------------- 1) Add the user account to the system setting the shell to be /bin/rsh Add user(s) to ChrootUsers in /etc/ssh2/sshd2_config 2) Restart sshd2 server. 3) Setup the $USERHOME variable to make things easier, when executing the following commands. 4) Make Directories: mkdir $USERHOME/bin mkdir $USERHOME/usr mkdir $USERHOME/usr/lib mkdir $USERHOME/dev mkdir $USERHOME/.ssh2 5) Copy needed binaries: cp -p /opt/ssh/bin/sftp-server2 $USERHOME/bin/sftp-server cp -p /usr/lib/rsh $USERHOME/bin 6) Copy needed libraries: cd $USERHOME/usr/lib cp -p /usr/platform/`uname -m`/lib/libc_psr.so.1 . cp -p /usr/lib/ld.so.1 . cp -p /usr/lib/libc.so.1 . cp -p /usr/lib/libcurses.so.1 . cp -p /usr/lib/libdl.so.1 . cp -p /usr/lib/libelf.so.1 . cp -p /usr/lib/libld.so.2 . cp -p /usr/lib/liblddbg.so.4 . cp -p /usr/lib/libmp.so.2 . cp -p /usr/lib/libnsl.so.1 . cp -p /usr/lib/librtld.so.1 . cp -p /usr/lib/libsec.so.1 . cp -p /usr/lib/libsocket.so.1 . cp -p /usr/lib/libgen.so.1 . 7) Run ldd $USERHOME/bin/sftp-server and check to see if all the needed libraries are in the $USERHOME/usr/lib if you need some, copy them into that directory. 8) Created needed devices: mknod $USERHOME/dev/tcp c 11 42 mknod $USERHOME/dev/ticlts c 105 2 mknod $USERHOME/dev/ticotsord c 105 1 mknod $USERHOME/dev/udp c 11 41 mknod $USERHOME/dev/zero c 13 12 9) Securing their directory: chown root $USERHOME/bin chmod 755 $USERHOME/bin rm $USERHOME/.profile rm $USERHOME/.login echo "PATH=$USERHOME/bin;export PATH" > $USERHOME/.profile touch $USERHOME/.login chown root $USERHOME/.profile ; chmod 755 $USERHOME/.profile chown root $USERHOME/.login ; chmod 755 $USERHOME/.login -----------------------DONE-Password authentication will work now-------------------- ------------------------------------------------------------------------------------- -----------------------Optional-Setting up Key based authentication------------------ 9) Place their public-key that the user generated into the .ssh2 directory along with an authorization file that has an entry that looks like the following. You can optionally enter an Option line as shown below to limit them from coming from a particular host. Key keyname.pub Options allow-from="hostname.domainname.com" 10) To prevent them from uploaded a new key and setting a password, do the following: chown root $USERHOME/.ssh2 chown root $USERHOME/.ssh2/sshkeyname.pub chown root $USERHOME/.ssh2/authorization 11) Set there password to something nonsensical That should be it. ----------------------------ADVANCED OPTIONAL ITEMS -------------------------------------------------- 12) Modify /etc/hosts.allow to only allow particular hosts (with libwrap support) 13) Modify the users .login/.profile with the logout command, or if supporting PK only based authentication add the following Option entry to the authentication file "Options command=/usr/bin/sftp-server" This should allow only scp file transfers. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]