Karl Cunningham wrote: > On 6/6/2006 2:19 PM, James G. Sack (jim) wrote: >> Karl Cunningham wrote: >>> Let me preface... This question is 90% academic and 10% practical. It >>> stems from a bit of paranoia spawning curiosity. >>> >>> I know ssh public keys can include an option to only allow a specified >>> command to be executed using that key. Is there a way to get it to >>> allow a file transfer with scp but not allow a shell to be started using >>> that key? I do want to allow shells using a different key. >>> >> >> Quick and incomplete answer: >> >> It's not the keys that have such options, it's a question of server >> configuration that determines what capabilities are granted to a user >> (authenticated by eg, matching a certain public key). >> >> The subject matter to search on, I think, is >> ssh "per account server configuration" >> >> Your question might be re-posed as involving: >> >> How to provide scp only access via per-account server configuration? >> >> which, in fact, seems to trigger some google hits (that I haven't >> followed <heh>). > > Jim -- > > Thanks for the info. > > BTW, the ssh keys do provide some control. See man sshd, go to the > section titled AUTHORIZED_KEYS FILE FORMAT, then the following section > about options. >
Ahhh, there are some semantic differences between your/my words. By 'keys' I mean things like id_rsa and id_rsa.pub which are created in the client's ~/.ssh dir vis ssh-keygen. The public one is what has to be transported to the server and added to the appropriate authorized_keys file. The ~/.ssh/authorized_keys file is one of the server-configuration controls. ..which, in fact is where you need to stuff the scp-only options. ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
