allowing scp but not ssh (here's how)
Scott Prive
Scott.Prive at storigen.com
Mon Jul 29 09:45:47 EDT 2002
Ah yes, sorry, I *did* intend to copy in the source if the refusal message. :-)
Here's what you'd add. There could be something else to this, but I didn't see any symlink trickery.
This setup allows specific users (determined by their login shell). Out of curiosity, I have not found any way to defeat this, if my only "account" is one of these rbash-designated accounts.
# cat /etc/ssh/sshrc
if [ $SSH_TTY ]; then
usershell=`finger -m $USER | grep Shell | awk '{print $4}'`
if [ $usershell == "/bin/rbash" ]; then
echo
echo "We're sorry, but you do not have shell access to this mach
ine."
echo "Please contact the system administrator for support."
echo
kill -TERM $PPID
else
echo "Hello World"
fi
fi
###################################################
# (yeah, I know there's an extra grep up there but it's Not My Code :-)
I also looked at /etc/profile; it seemed fairly standard.
_Scott
-----Original Message-----
From: Alex Pennace [mailto:alex at pennace.org]
Sent: Saturday, July 27, 2002 4:02 AM
To: Scott Prive
Cc: Struts User; discuss at blu.org
Subject: Re: allowing scp but not ssh (here's how)
On Fri, Jul 26, 2002 at 10:15:29AM -0400, Scott Prive wrote:
> 3) Attempt remote ssh login
> Administrator at PRIVES ~/temp-area
> $ ssh qatest at tower15
> qatest at tower15's password:
>
> We're sorry, but you do not have shell access to this machine.
> Please contact the system administrator for support.
>
> Connection to tower15 closed.
>
> Administrator at PRIVES ~/temp-area
> $
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>
>
> Did I miss something Alex, or does your circumvention method perhaps not work with rbash as the shell?
I don't have enough information to recreate your setup exactly, in
particular rbash by itself doesn't issue the message, "We're sorry,
but you do not have shell access to this machine. Please contact the
system administrator for support," so your rbash may be modified.
Stock rbash reads its initialization files, then prevents people from
running programs outside their path or using cd to change
directories. Normally you would populate ~/bin/ with symlinks to the
binaries you want the user to use, and use ~/.bash_profile to force
~/bin/ to be the user's PATH. This fails if the user can copy files to
~ or ~/bin/, since they can reset ~/.bash_profile or add executables to
~/bin/.
More information about the Discuss
mailing list