Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

allowing scp but not ssh (here's how)



Ah yes, sorry, I *did* intend to copy in the source if the refusal message. :-)

Here's what you'd add. There could be something else to this, but I didn't see any symlink trickery.

This setup allows specific users (determined by their login shell). Out of curiosity, I have not found any way to defeat this, if my only "account" is one of these rbash-designated accounts.

# cat /etc/ssh/sshrc
if [ $SSH_TTY ]; then
        usershell=`finger -m $USER | grep Shell | awk '{print $4}'`
        if [ $usershell == "/bin/rbash" ]; then
                echo
                echo "We're sorry, but you do not have shell access to this mach
ine."
                echo "Please contact the system administrator for support."
                echo
                kill -TERM $PPID
        else
		    echo "Hello World"
        fi
fi
###################################################
# (yeah, I know there's an extra grep up there but it's Not My Code :-)

I also looked at /etc/profile; it seemed fairly standard.

_Scott


-----Original Message-----
From: Alex Pennace [mailto:alex at pennace.org]
Sent: Saturday, July 27, 2002 4:02 AM
To: Scott Prive
Cc: Struts User; discuss at blu.org
Subject: Re: allowing scp but not ssh (here's how)


On Fri, Jul 26, 2002 at 10:15:29AM -0400, Scott Prive wrote:
> 3) Attempt remote ssh login
> Administrator at PRIVES ~/temp-area
> $ ssh qatest at tower15
> qatest at tower15's password:
> 
> We're sorry, but you do not have shell access to this machine.
> Please contact the system administrator for support.
> 
> Connection to tower15 closed.
> 
> Administrator at PRIVES ~/temp-area
> $
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> 
> 
> Did I miss something Alex, or does your circumvention method perhaps not work with rbash as the shell?

I don't have enough information to recreate your setup exactly, in
particular rbash by itself doesn't issue the message, "We're sorry,
but you do not have shell access to this machine. Please contact the
system administrator for support," so your rbash may be modified.

Stock rbash reads its initialization files, then prevents people from
running programs outside their path or using cd to change
directories. Normally you would populate ~/bin/ with symlinks to the
binaries you want the user to use, and use ~/.bash_profile to force
~/bin/ to be the user's PATH. This fails if the user can copy files to
~ or ~/bin/, since they can reset ~/.bash_profile or add executables to
~/bin/.




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org