allowing scp but not ssh

Lars Kellogg-Stedman lars at larsshack.org
Tue Jul 23 07:00:25 EDT 2002


[ Whoops, sent this from the wrong account the first time... ]

> > How do I configure my Redhat 7.3 box so that users can scp files but not 
> > ssh into their accounts?
> 
> I suspect adding the desired bogus shell to /etc/shells will solve the
> problem for you. (See the shells(5) man page.)

I suspect this won't work.  Scp is nothing but a hardcoded command running 
over an ssh channel.  When you scp a file to a remote host, your local 
host makes an ssh connection to the remote system and then runs a specific 
command on that remote system -- which means that you have to have a 
shell that, minimally, accept the '-c <command>' command line option.

For example, the following command:

  scp file remotehost:

Is largely equivilent to:

  ssh remotehost <shell> -c "scp -t ."

Anything that prevents ssh from working will prevent scp from working, so 
dummy shells like /bin/false simply won't work.

There are two ways to solve this problem:

(1) You can create a custom shell that restricts the commands available to 
users connecting via ssh, or

(2) If you're using key-based authentication, you can restrict connections 
to a particular command with options in your authorized_keys file.  See 
the 'AUTHORIZED_KEYS FILE FORMAT' section of the sshd man page (OpenSSH 
3.x; possibly 2.x).

See:

  http://www.snailbook.com/faq/restricted-scp.auto.html

For some additional information.

-- Lars



-- 
Lars Kellogg-Stedman <lars at larsshack.org>





More information about the Discuss mailing list