Re: [SLUG] restricting ssh private key to access sftp only
On Mon, Apr 14, 2008 at 03:12:49PM +1000, Amos Shapira wrote: > [ ... ] > I should probably also chroot that user to prevent it from being able > to snoop around but for now I'll stop here (no time). Have a look at rssh: http://rssh.sourceforge.net/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] restricting ssh private key to access sftp only
On Mon, Apr 14, 2008 at 12:27 PM, Sven Peters <[EMAIL PROTECTED]> wrote: > Hi, > > Try this: > > http://www.debian-administration.org/articles/94 > > --snip-- > > Add user as usually and assign him a password. Then run the following > command (replace the 'username' with real user name): > > [EMAIL PROTECTED] # usermod -s /usr/lib/sftp-server username > > This changes user's shell to sftp-server. > > The last step for this to work is to add '/usr/lib/sftp-server' to > /etc/shells to make it a valid shell, eg. like this: > > [EMAIL PROTECTED] # echo '/usr/lib/stfp-server' >> /etc/shells > > There. Now you've setup a user who can only access your server with SFTP. Thanks. There are some positive and some negative problems with this solution: 1. It reminded that there is actually a problem with sharing the account (because the remote user can manipulate the authorized_keys file through sftp) so I use a separate account for that now. 2. It still doesn't prevent use of ssh completely, except that ssh to that user gives the sftp server as a daemon. It logs in and gives the /etc/motd file but can't run the shell. This doesn't feel quite right. 3. I added a 'command="/usr/lib/sftp-server"' to the public key line and now I enjoy an almost complete setup: a separate user who can only tough specific directories (but not its own home directory or .ssh or .ssh/authorized_keys) and can only login via sftp. I should probably also chroot that user to prevent it from being able to snoop around but for now I'll stop here (no time). Thanks everyone. --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] restricting ssh private key to access sftp only
Hi, On Mon, 14 Apr 2008 12:18:06 +1000 "Amos Shapira" <[EMAIL PROTECTED]> wrote: > Hello, > > I'm setting up a script which uses sftp to manipulate remote files > through ssh. I created a private/public key pair for it without a pass > phrase on it, installed the public key on the remote server and now I > can use both "ssh" and "sftp" to login to it. > > I'd like to restrict this key to be able to use only "sftp" and nothing else. > > According to "man sshd", the "command" option should do that: > > command="command" > Specifies that the command is executed whenever this key is used > for authentication. > ...Note that this option applies to shell, command or subsystem execution. > > So I added a "command="sftp"" to that key's line but this causes the > entire session to abort. When I remove the "command" part I can use > sftp and ssh again. http://troy.jdmz.net/rsync/index.html has an example. from="10.1.1.1",command="/home/remoteuser/cron/validate-rsync" ssh-dss B3Nza C1kc3MAAAEBAKYJenaYvMG3nHwWxKwlWLjHb77CT2hXwmC8Ap+fG8wjlaY/9t4uA+2qx9JNorgdrWKhH SKHokFFlWRj+qk3q+lGHS+hsXuvta44W0yD0y0sW62wrEVegz+JVmntxeYc0nDz5tVGfZe6ydlgomzj1 bhfdpYe+BAwop8L+EMqKLS4iSacNjoPlHsmqHMnbibn3tBqJEq2QJjEPaiYj1iP5IaCuYBhuTKQGa+oy H3mXEif5CKdsIKBj46B0tCy0/GC7oWcUN92QdLrUyTeRJZsTWsxKpRbMliD2pBh4oyX/aXEf8+HZBrO5 vQjDBCfTFQA+35Xrd3eTVEjkGkncI0SAeUVAMZSASmQ9Pi38mdm6oiVXD55Kk2rAAABAE/bA402V -- Regards Mick Pollard ( lunix ) BOFH Excuse of the day: Non-Static Checksum Dereferencing pgpzCi5UD97zO.pgp Description: PGP signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] restricting ssh private key to access sftp only
On Mon, Apr 14, 2008 at 12:18:06PM +1000, Amos Shapira wrote: > I'm setting up a script which uses sftp to manipulate remote files > through ssh. I created a private/public key pair for it without a pass > phrase on it, installed the public key on the remote server and now I > can use both "ssh" and "sftp" to login to it. > > I'd like to restrict this key to be able to use only "sftp" and nothing else. > You need a wrapper command to do this effectively. Have a look at scponly http://sublimation.org/scponly/wiki/index.php/Main_Page Cheers, -- John http://www.inodes.org/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
AW: [SLUG] restricting ssh private key to access sftp only
Hi, Try this: http://www.debian-administration.org/articles/94 --snip-- Add user as usually and assign him a password. Then run the following command (replace the 'username' with real user name): [EMAIL PROTECTED] # usermod -s /usr/lib/sftp-server username This changes user's shell to sftp-server. The last step for this to work is to add '/usr/lib/sftp-server' to /etc/shells to make it a valid shell, eg. like this: [EMAIL PROTECTED] # echo '/usr/lib/stfp-server' >> /etc/shells There. Now you've setup a user who can only access your server with SFTP. --snip-- Cheers, Sven -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Amos Shapira Gesendet: Montag, 14. April 2008 12:18 An: Slug Betreff: [SLUG] restricting ssh private key to access sftp only Hello, I'm setting up a script which uses sftp to manipulate remote files through ssh. I created a private/public key pair for it without a pass phrase on it, installed the public key on the remote server and now I can use both "ssh" and "sftp" to login to it. I'd like to restrict this key to be able to use only "sftp" and nothing else. According to "man sshd", the "command" option should do that: command="command" Specifies that the command is executed whenever this key is used for authentication. ...Note that this option applies to shell, command or subsystem execution. So I added a "command="sftp"" to that key's line but this causes the entire session to abort. When I remove the "command" part I can use sftp and ssh again. Can anyone give an example on how can I do this? Thanks, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] restricting ssh private key to access sftp only
Hello, I'm setting up a script which uses sftp to manipulate remote files through ssh. I created a private/public key pair for it without a pass phrase on it, installed the public key on the remote server and now I can use both "ssh" and "sftp" to login to it. I'd like to restrict this key to be able to use only "sftp" and nothing else. According to "man sshd", the "command" option should do that: command="command" Specifies that the command is executed whenever this key is used for authentication. ...Note that this option applies to shell, command or subsystem execution. So I added a "command="sftp"" to that key's line but this causes the entire session to abort. When I remove the "command" part I can use sftp and ssh again. Can anyone give an example on how can I do this? Thanks, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
