allowing scp but not ssh
Lars Kellogg-Stedman
lars at larsshack.org
Tue Jul 23 07:00:25 EDT 2002
[ Whoops, sent this from the wrong account the first time... ]
> > How do I configure my Redhat 7.3 box so that users can scp files but not
> > ssh into their accounts?
>
> I suspect adding the desired bogus shell to /etc/shells will solve the
> problem for you. (See the shells(5) man page.)
I suspect this won't work. Scp is nothing but a hardcoded command running
over an ssh channel. When you scp a file to a remote host, your local
host makes an ssh connection to the remote system and then runs a specific
command on that remote system -- which means that you have to have a
shell that, minimally, accept the '-c <command>' command line option.
For example, the following command:
scp file remotehost:
Is largely equivilent to:
ssh remotehost <shell> -c "scp -t ."
Anything that prevents ssh from working will prevent scp from working, so
dummy shells like /bin/false simply won't work.
There are two ways to solve this problem:
(1) You can create a custom shell that restricts the commands available to
users connecting via ssh, or
(2) If you're using key-based authentication, you can restrict connections
to a particular command with options in your authorized_keys file. See
the 'AUTHORIZED_KEYS FILE FORMAT' section of the sshd man page (OpenSSH
3.x; possibly 2.x).
See:
http://www.snailbook.com/faq/restricted-scp.auto.html
For some additional information.
-- Lars
--
Lars Kellogg-Stedman <lars at larsshack.org>
More information about the Discuss
mailing list