Justin:
A similar question was on the list last week. A guy wanted to allow some
users to upload files via scp to his server. He wanted any other access to
this server
being denied for these accounts.
Using a login shell that does 'nothing' just returns with 0
is not a good idea because your users are kicked out right after the
authentication.
Instead use a very special login shell that provides you only the
functionality
you need. In this case this is not too difficult.
I send my proposal again:
###################################
Let's suppose you want these users to copy files only to a certain
directory.
(You wouldn't allow them to upload files anywhere, would you?)
You need to create a custom login shell (call it scp_shell) for these users:
--------------------
#!/bin/sh
#
exec /usr/bin/scp -t UPLOAD_DIR
--------------------
You can put this script to /usr/local/bin and you have to register it in
/etc/shells.
With this solution your users can upload files but only relative to
UPLOAD_DIR directory.
You can replace UPLOAD_DIR with $HOME if you want them to
upload to their home directories instead of a common one. Or you can
create a symlink in the home directory of the user pointing to a user
specific location outside of $HOME.
On the client side you may omit the remote destination when you invoke scp
because UPLOAD_DIR will be used.
The command your users have to issue is:
'scp SOURCE user@your_server:'
You need the colon at the end !!
###################################
I did not test but this should work for download, too.
Hope this helps.
Attila Peter
EDS
-----Original Message-----
From: Justin Clift [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 14. August 2001 06:57
To: [EMAIL PROTECTED]
Subject: Allowing scp but not sftp nor ssh
Hi all,
I've gotten OpenSSH 2.9p2 compiled and installed on Linux of various
flavours
here.
One of the linux servers needs a client system to be able to connect to it
and upload/download a file every now and again (for backup purposes).
I have scp setup on the client such that it correctly transfer's the file,
authenticating using the publickey method.
What I'd like to do however, is disallow the client from being able to run
anything other than scp. i.e. I'd like the client to be able to connect
with scp, but not with sftp nor ssh.
I can probably turn off sftp through commenting out it's subsytem line in
sshd_config, but how to I stop allowing someone from logging into the server
via ssh, as the authentication keys are stored on the client machine
(~/.ssh/id_dsa)?
My initial attempt was creating a blank shell which did nothing but main ()
{
return 0}, but then neither ssh, sftp, nor scp works.
Anybody have any better ideas?
Regards and best wishes,
Justin Clift
