allowing scp but not ssh (here's how)

[Scott.Prive at storigen.com (Scott Prive)]

Hmm, no, the "ssh lockout" still succeeds in allowing scp but no ssh. 
There must be something else that was done to secure this box... I am guessing that rbash, being a restricted shell, refuses to read in .rc files from the home directory. Here is my attempted login:

(for anyone tuning in to the thread late, this is an attempt at securing a box against ssh while still allowing scp. :)


Administrator at PRIVES /cygdrive/c/temp
$ pwd
/cygdrive/c/temp

Administrator at PRIVES /cygdrive/c/temp
$ ls

Administrator at PRIVES /cygdrive/c/temp
$ mkdir .ssh

Administrator at PRIVES /cygdrive/c/temp
$ touch .ssh/foo

Administrator at PRIVES /cygdrive/c/temp
$ ls -l .ssh/foo
-rw-r--r--    1 Administ None            0 Jul 30 09:42 .ssh/foo

Administrator at PRIVES /cygdrive/c/temp
$ scp -r .ssh/ qatest at tower15:/sfs/qatest
qatest at tower15's password:
foo                  100% |***************************************************|     0       00:00

Administrator at PRIVES /cygdrive/c/temp
$ ssh qatest at tower15
qatest at tower15's password:

We're sorry, but you do not have shell access to this machine.
Please contact the system administrator for support.

Connection to tower15 closed.

Administrator at PRIVES /cygdrive/c/temp
$

### At this point, the ssh lockout still holds. I'll go in as root, just to verify the account & system.

Administrator at PRIVES /cygdrive/c/temp
$ ssh root at tower15
root at tower15's password:

Welcome to the Storigen Edge Storage Server platform.

[root at tower15 /root]# grep qatest /etc/passwd
qatest:x:507:507:tower15a.storigen.com Account:/sfs/qatest:/bin/rbash
[root at tower15 /root]# ls -la /sfs/qa
qafiles  qatest
[root at tower15 /root]# ls -la /sfs/qatest/
.bash_profile  .inputrc       cli.pl         stest.tar
.bashrc        .ssh           ftp.pl
[root at tower15 /root]# ls -la /sfs/qatest/.ssh/foo
-rw-r--r--    1 qatest   qatest          0 Jul 30 09:37 /sfs/qatest/.ssh/foo
[root at tower15 /root]#

####################

My understanding is, .ssh is only read in UPON a successful login. I don't think the system ever gets that far, due to the shell script (see earlier email) that auto-kills login processes of users who default to rbash.

If what I've shown so far does not work for you, I'll look to verify my information with the system designer, and provide a better answer than I have :)

-Scott


-----Original Message-----
From: Alex Pennace [mailto:alex at pennace.org]
Sent: Monday, July 29, 2002 8:53 PM
To: Scott Prive
Cc: Struts User; discuss at blu.org
Subject: Re: allowing scp but not ssh (here's how)


On Mon, Jul 29, 2002 at 09:45:25AM -0400, Scott Prive wrote:
> Ah yes, sorry, I *did* intend to copy in the source if the refusal message. :-)
> 
> Here's what you'd add. There could be something else to this, but I didn't see any symlink trickery.
> 
> This setup allows specific users (determined by their login shell). Out of curiosity, I have not found any way to defeat this, if my only "account" is one of these rbash-designated accounts.
> 
> # cat /etc/ssh/sshrc
[snip]

/etc/ssh/sshrc is executed only when ~/.ssh/rc doesn't exist (at least
that's how my sshd works). Make a zero-length ~/.ssh/rc.