Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

allowing scp but not ssh



> > How do I configure my Redhat 7.3 box so that users can scp files but not 
> > ssh into their accounts?
> 
> I suspect adding the desired bogus shell to /etc/shells will solve the
> problem for you. (See the shells(5) man page.)

I suspect this won't work.  Scp is nothing but a hardcoded command running 
over an ssh channel.  When you scp a file to a remote host, your local 
host makes an ssh connection to the remote system and then runs a specific 
command on that remote system -- which means that you have to have a 
shell that, minimally, accept the '-c <command>' command line option.

For example, the following command:

  scp file remotehost:

Is largely equivilent to:

  ssh remotehost <shell> -c "scp -t ."

Anything that prevents ssh from working will prevent scp from working, so 
dummy shells like /bin/false simply won't work.

There are two ways to solve this problem:

(1) You can create a custom shell that restricts the commands available to 
users connecting via ssh, or

(2) If you're using key-based authentication, you can restrict connections 
to a particular command with options in your authorized_keys file.  See 
the 'AUTHORIZED_KEYS FILE FORMAT' section of the sshd man page (OpenSSH 
3.x; possibly 2.x).

See:

  http://www.snailbook.com/faq/restricted-scp.auto.html

For some additional information.

-- Lars

-- 
Lars Kellogg-Stedman <lars at deas.harvard.edu>
Division of Engineering and Applied Sciences
Harvard University







BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org