allowing scp but not ssh (here's how) (WHOOPS) 
    Scott Prive 
    Scott.Prive at storigen.com
       
    Thu Aug  1 08:38:37 EDT 2002
    
    
  
Thanks for the info!
-----Original Message-----
From: John Abreau [mailto:jabr at blu.org]
Sent: Wednesday, July 31, 2002 3:29 PM
To: Scott Prive
Cc: Alex Pennace; Struts User; discuss at blu.org
Subject: Re: allowing scp but not ssh (here's how) (WHOOPS) 
"Scott Prive" <Scott.Prive at storigen.com> writes:
> I would have thought rbash could be configured to disallow this 
> (or ignore rc files altogether). That may or may not be possible 
> (there is always the source), but I'm very surprised this problem 
> has not been solved before.
This problem in fact has been solved before, in the commercial ssh
server; it comes with a dummy shell for just this purpose.
I just wrote a test script to verify the behavior by logging its
parameters
and stdin to a file on the server. When using openssh's scp as follows:
    % scp /etc/termcap user at server:
the log shows that the shell on the remote end was invoked with the 
parameters "-c scp -t ." 
    % scp /etc/termcap user at server:/tmp/foo
resulted in the parameters "-c scp -t /tmp/foo"
So you can write a dummy shell that checks those parameters and fires up
scp if it's requested, or prints a "no logins allowed" message
otherwise.
    sftp user at server
yields the parameters "-c /usr/libexec/openssh/sftp-server", so you
should allow for that as well.
-- 
John Abreau / Executive Director, Boston Linux & Unix 
ICQ 28611923 / AIM abreauj / JABBER jabr at jabber.org / YAHOO abreauj
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9
PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99
"An idealist is just a farsighted pragmatist."  -Anon
    
    
More information about the Discuss
mailing list