James G. Sack (jim) wrote:
Karl Cunningham wrote:
On 6/6/2006 2:19 PM, James G. Sack (jim) wrote:
Karl Cunningham wrote:
Let me preface... This question is 90% academic and 10% practical. It
stems from a bit of paranoia spawning curiosity.
I know ssh public keys can include an option to only allow a specified
command to be executed using that key. Is there a way to get it to
allow a file transfer with scp but not allow a shell to be started using
that key? I do want to allow shells using a different key.
Quick and incomplete answer:
It's not the keys that have such options, it's a question of server
configuration that determines what capabilities are granted to a user
(authenticated by eg, matching a certain public key).
The subject matter to search on, I think, is
ssh "per account server configuration"
Your question might be re-posed as involving:
How to provide scp only access via per-account server configuration?
which, in fact, seems to trigger some google hits (that I haven't
followed <heh>).
Jim --
Thanks for the info.
BTW, the ssh keys do provide some control. See man sshd, go to the
section titled AUTHORIZED_KEYS FILE FORMAT, then the following section
about options.
Ahhh, there are some semantic differences between your/my words.
By 'keys' I mean things like id_rsa and id_rsa.pub which are created in
the client's ~/.ssh dir vis ssh-keygen. The public one is what has to be
transported to the server and added to the appropriate authorized_keys file.
The ~/.ssh/authorized_keys file is one of the server-configuration controls.
..which, in fact is where you need to stuff the scp-only options.
OK. I'll look at it from that perspective.
Karl
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
