Re: Fwd: scp, no ssh
On 11 Jan 2002, at 0:06, martin f krafft wrote: --+xNpyl7Qekk2NvDX Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable also sprach Marcel Hicking [EMAIL PROTECTED] [2002.01.10.1646 +0100]: /bin/true will log you out right away, and therefore you cannot start scp. I've doublechecked this yesterday, and even tried to put exit into the .bashrc *This* did work fine, no ssh anymore, but scp works. But! unforunatelly the user can scp an new .bashrc or use ssh and rm to remove it. chattr +i .bashrc. but whether you want to do it that way... well, you tell us... Not really ;-) Just offering some thoughts... -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
On 11 Jan 2002, at 0:06, martin f krafft wrote: --+xNpyl7Qekk2NvDX Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable also sprach Marcel Hicking [EMAIL PROTECTED] [2002.01.10.1646 +0100]: /bin/true will log you out right away, and therefore you cannot start scp. I've doublechecked this yesterday, and even tried to put exit into the .bashrc *This* did work fine, no ssh anymore, but scp works. But! unforunatelly the user can scp an new .bashrc or use ssh and rm to remove it. chattr +i .bashrc. but whether you want to do it that way... well, you tell us... Not really ;-) Just offering some thoughts... -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `-
Re: Fwd: scp, no ssh
What about setting ssh and scp to a diffenrent user an make appropiate sudo settings ? Resent-Sender: [EMAIL PROTECTED] Resent-Bcc: Resent-Date: Thu, 10 Jan 2002 03:24:06 +0100 On Thu, 2002-01-10 at 12:19, Tim Quinlan wrote: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. This is true, but you can still (probably) use ssh to execute commands, like /bin/sh, and effectively get a shell. -- Joel Michael Systems Administrator Worldhosting.org Pty. Ltd. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- G.Glawe pelion XII AG Fon: [05 11] 64 64 47 -0 Fax: [05 11] 39 13 07 Pelikanstr. 7, 30177 Hannover eMail: [EMAIL PROTECTED] www.pelion12.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
also sprach Tim Quinlan [EMAIL PROTECTED] [2002.01.10.0319 +0100]: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. nope. as i said, scp uses ssh and needs a shell -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck as of next week, passwords will be entered in morse code. msg04767/pgp0.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Gernot Glawe [EMAIL PROTECTED] [2002.01.10.0905 +0100]: What about setting ssh and scp to a diffenrent user an make appropiate sudo settings ? and how do you want to get that working remotely? i supposed you could create a shell script scp and a shell script ssh that would call scp.orig and ssh.orig via sudo. make sure to employ NOPASSWD though, and please let us know if that works... interesting approach! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck dimmi in 10 secondi i nomi dei 7 re di roma, in ordine decrescente di data di morte del figlio secondogenito, in rot13... o faccio fuori la directory /dev !!! msg04768/pgp0.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Joel Michael [EMAIL PROTECTED] [2002.01.10.0323 +0100]: This is true, but you can still (probably) use ssh to execute commands, like /bin/sh, and effectively get a shell. that's not possible either. try it. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck this message represents the official view of the voices in my head. msg04769/pgp0.pgp Description: PGP signature
Re: scp, no ssh
Hi, Found something which looks like it might do the trick: http://www.sublimation.org/scponly/ Haven't tried it myself, though... Regards, Bennet On Thu, 2002-01-10 at 05:51, Jeff Norman wrote: Now, the trick is to replace bob's shell with a (perl?) script that takes -c argument passed and checks if scp is the intended command. If scp *isn't* the intended command, it merely exits, thus closing the remote connection and effectively denying access to other commands. If scp *is* what was requested, the script could just exec scp with the requested options in place of itself and everything should continue as normal. If you wanted to, you could even get really fancy and have the script deny access to certain directories or types of files. Of course, I don't imagine that the ssh/scp combo was intended to be used like this, so one should be careful while implementing, but other than that, the only downside I can think of is that the user on the remote system becomes useless for any purpose other than scp-ing. Hope that makes sense. Later, Jeff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
What about setting rbash as login shell and then PATH=/usr/local/bin in .bash_profile and then ln -s /usr/bin/scp /usr/local/bin/scp and and and then chattr +i .bash_profile That is what i do and it works ( as far as i know .. ) -- __ Felipe Alvarez Harnecker. QlSoftware. Tels. 204.56.21 - 09.874.60.17 e-mail: [EMAIL PROTECTED] http://qlsoft.cl/ http://ql.cl/ __ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
What about sftp? Clients should be available by now. I mean, Windooze clients ;-) As secure as scp, as restricted as ftp. Cheers, Marcel On 9 Jan 2002, at 21:19, Tim Quinlan wrote: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. -- Forwarded Message -- Subject: scp, no ssh Date: Wed, 9 Jan 2002 09:49:10 +0100 From: Robert Janusz [EMAIL PROTECTED] To: [EMAIL PROTECTED] How to allow, for some users' IPs, only scp and no ssh? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] an.org with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- Now even on the 5 Euro banknote! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
No way. /bin/true will log you out right away, and therefore you cannot start scp. I've doublechecked this yesterday, and even tried to put exit into the .bashrc *This* did work fine, no ssh anymore, but scp works. But! unforunatelly the user can scp an new .bashrc or use ssh and rm to remove it. So I'd say: No way, indeed. Cheers, Marcel On 9 Jan 2002, at 21:19, Tim Quinlan wrote: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. -- Forwarded Message -- Subject: scp, no ssh Date: Wed, 9 Jan 2002 09:49:10 +0100 From: Robert Janusz [EMAIL PROTECTED] To: [EMAIL PROTECTED] How to allow, for some users' IPs, only scp and no ssh? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] an.org with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- Now even on the 5 Euro banknote! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
On Thu, Jan 10, 2002 at 04:46:26PM +0100, Marcel Hicking wrote: No way. /bin/true will log you out right away, and therefore you cannot start scp. I've doublechecked this yesterday, and even tried to put exit into the .bashrc *This* did work fine, no ssh anymore, but scp works. But! unforunatelly the user can scp an new .bashrc or use ssh and rm to remove it. Late to the discussion so I may have missed something ... can't you chattr +i the .bashrc file, then chmod 750 /usr/bin/chattr ? Of course if the user can copy their own chattr binary using scp and execute it somehow, this doesn't work :) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton msg04778/pgp0.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Marcel Hicking [EMAIL PROTECTED] [2002.01.10.1646 +0100]: What about sftp? Clients should be available by now. I mean, Windooze clients ;-) As secure as scp, as restricted as ftp. but you still need to enable a shell and ssh, because sftp does nothing else but pipe over ssh... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck in contrast to the what-you-see-is-what-you-get philosophy, unix is the you-asked-for-it,-you-got-it operating system. --scott lee msg04785/pgp0.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Marcel Hicking [EMAIL PROTECTED] [2002.01.10.1646 +0100]: /bin/true will log you out right away, and therefore you cannot start scp. I've doublechecked this yesterday, and even tried to put exit into the .bashrc *This* did work fine, no ssh anymore, but scp works. But! unforunatelly the user can scp an new .bashrc or use ssh and rm to remove it. chattr +i .bashrc. but whether you want to do it that way... well, you tell us... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck please keep your hands off the secretary's reproducing equipment. msg04786/pgp0.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Tim Quinlan [EMAIL PROTECTED] [2002.01.10.0319 +0100]: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. nope. as i said, scp uses ssh and needs a shell -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] as of next week, passwords will be entered in morse code. pgpzB3nMSZLdW.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Gernot Glawe [EMAIL PROTECTED] [2002.01.10.0905 +0100]: What about setting ssh and scp to a diffenrent user an make appropiate sudo settings ? and how do you want to get that working remotely? i supposed you could create a shell script scp and a shell script ssh that would call scp.orig and ssh.orig via sudo. make sure to employ NOPASSWD though, and please let us know if that works... interesting approach! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] dimmi in 10 secondi i nomi dei 7 re di roma, in ordine decrescente di data di morte del figlio secondogenito, in rot13... o faccio fuori la directory /dev !!! pgpGiVIy0ECKU.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Joel Michael [EMAIL PROTECTED] [2002.01.10.0323 +0100]: This is true, but you can still (probably) use ssh to execute commands, like /bin/sh, and effectively get a shell. that's not possible either. try it. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] this message represents the official view of the voices in my head. pgpa00JYFXxES.pgp Description: PGP signature
Re: scp, no ssh
Hi, Found something which looks like it might do the trick: http://www.sublimation.org/scponly/ Haven't tried it myself, though... Regards, Bennet On Thu, 2002-01-10 at 05:51, Jeff Norman wrote: Now, the trick is to replace bob's shell with a (perl?) script that takes -c argument passed and checks if scp is the intended command. If scp *isn't* the intended command, it merely exits, thus closing the remote connection and effectively denying access to other commands. If scp *is* what was requested, the script could just exec scp with the requested options in place of itself and everything should continue as normal. If you wanted to, you could even get really fancy and have the script deny access to certain directories or types of files. Of course, I don't imagine that the ssh/scp combo was intended to be used like this, so one should be careful while implementing, but other than that, the only downside I can think of is that the user on the remote system becomes useless for any purpose other than scp-ing. Hope that makes sense. Later, Jeff
Re: Fwd: scp, no ssh
What about setting rbash as login shell and then PATH=/usr/local/bin in .bash_profile and then ln -s /usr/bin/scp /usr/local/bin/scp and and and then chattr +i .bash_profile That is what i do and it works ( as far as i know .. ) -- __ Felipe Alvarez Harnecker. QlSoftware. Tels. 204.56.21 - 09.874.60.17 e-mail: [EMAIL PROTECTED] http://qlsoft.cl/ http://ql.cl/ __
Re: Fwd: scp, no ssh
What about sftp? Clients should be available by now. I mean, Windooze clients ;-) As secure as scp, as restricted as ftp. Cheers, Marcel On 9 Jan 2002, at 21:19, Tim Quinlan wrote: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. -- Forwarded Message -- Subject: scp, no ssh Date: Wed, 9 Jan 2002 09:49:10 +0100 From: Robert Janusz [EMAIL PROTECTED] To: debian-isp@lists.debian.org How to allow, for some users' IPs, only scp and no ssh? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] an.org with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- Now even on the 5 Euro banknote!
Re: Fwd: scp, no ssh
No way. /bin/true will log you out right away, and therefore you cannot start scp. I've doublechecked this yesterday, and even tried to put exit into the .bashrc *This* did work fine, no ssh anymore, but scp works. But! unforunatelly the user can scp an new .bashrc or use ssh and rm to remove it. So I'd say: No way, indeed. Cheers, Marcel On 9 Jan 2002, at 21:19, Tim Quinlan wrote: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. -- Forwarded Message -- Subject: scp, no ssh Date: Wed, 9 Jan 2002 09:49:10 +0100 From: Robert Janusz [EMAIL PROTECTED] To: debian-isp@lists.debian.org How to allow, for some users' IPs, only scp and no ssh? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] an.org with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- Now even on the 5 Euro banknote!
Re: Fwd: scp, no ssh
On Thu, Jan 10, 2002 at 04:46:26PM +0100, Marcel Hicking wrote: No way. /bin/true will log you out right away, and therefore you cannot start scp. I've doublechecked this yesterday, and even tried to put exit into the .bashrc *This* did work fine, no ssh anymore, but scp works. But! unforunatelly the user can scp an new .bashrc or use ssh and rm to remove it. Late to the discussion so I may have missed something ... can't you chattr +i the .bashrc file, then chmod 750 /usr/bin/chattr ? Of course if the user can copy their own chattr binary using scp and execute it somehow, this doesn't work :) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpgtXLkFeMkE.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Marcel Hicking [EMAIL PROTECTED] [2002.01.10.1646 +0100]: What about sftp? Clients should be available by now. I mean, Windooze clients ;-) As secure as scp, as restricted as ftp. but you still need to enable a shell and ssh, because sftp does nothing else but pipe over ssh... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] in contrast to the what-you-see-is-what-you-get philosophy, unix is the you-asked-for-it,-you-got-it operating system. --scott lee pgpuKa5WiswGg.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Marcel Hicking [EMAIL PROTECTED] [2002.01.10.1646 +0100]: /bin/true will log you out right away, and therefore you cannot start scp. I've doublechecked this yesterday, and even tried to put exit into the .bashrc *This* did work fine, no ssh anymore, but scp works. But! unforunatelly the user can scp an new .bashrc or use ssh and rm to remove it. chattr +i .bashrc. but whether you want to do it that way... well, you tell us... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] please keep your hands off the secretary's reproducing equipment. pgpp3qi0RId9L.pgp Description: PGP signature
Re: scp, no ssh
also sprach Robert Janusz [EMAIL PROTECTED] [2002.01.09.0949 +0100]: How to allow, for some users' IPs, only scp and no ssh? i don't think you can, since scp actually uses ssh as its backend... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck syntactic sugar causes cancer of the semicolon. -- epigrams in programming msg04751/pgp0.pgp Description: PGP signature
Re: scp, no ssh
also sprach Robert Janusz [EMAIL PROTECTED] [2002.01.09.0949 +0100]: How to allow, for some users' IPs, only scp and no ssh? you *could* disable their passwords, give them DSA identities, and use the authorized_keys file to specify that this identity may only run the scp command... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck it may look like i'm just sitting here doing nothing. but i'm really actively waiting for all my problems to go away. msg04752/pgp0.pgp Description: PGP signature
Re: scp, no ssh
On Wed, Jan 09, 2002 at 02:38:30PM +0100, martin f krafft wrote: also sprach Robert Janusz [EMAIL PROTECTED] [2002.01.09.0949 +0100]: How to allow, for some users' IPs, only scp and no ssh? i don't think you can, since scp actually uses ssh as its backend... You're right. This is not possible. scp uses port 22 to transfer. If you block out this port - you block ssh, too. Michael -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck syntactic sugar causes cancer of the semicolon. -- epigrams in programming -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Fwd: scp, no ssh
how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. -- Forwarded Message -- Subject: scp, no ssh Date: Wed, 9 Jan 2002 09:49:10 +0100 From: Robert Janusz [EMAIL PROTECTED] To: [EMAIL PROTECTED] How to allow, for some users' IPs, only scp and no ssh? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] an.org with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
On Thu, 2002-01-10 at 12:19, Tim Quinlan wrote: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. This is true, but you can still (probably) use ssh to execute commands, like /bin/sh, and effectively get a shell. -- Joel Michael Systems Administrator Worldhosting.org Pty. Ltd. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
On Wednesday 09 January 2002 21:23, Joel Michael wrote: On Thu, 2002-01-10 at 12:19, Tim Quinlan wrote: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. This is true, but you can still (probably) use ssh to execute commands, like /bin/sh, and effectively get a shell. you may be right, as i've never tried this with scp but what true does (as a shell) is log you out instantly. so, in theory, you couldn't execute a command from ssh because as soon as you authenticate, true would log you out. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scp, no ssh
On Wed, 2002-01-09 at 21:23, Joel Michael wrote: On Thu, 2002-01-10 at 12:19, Tim Quinlan wrote: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. This is true, but you can still (probably) use ssh to execute commands, like /bin/sh, and effectively get a shell. The above assumption is wrong. Ssh executes commands by passing them as arguments to the user's shell. For example, if the user executes the ls command by connecting with $ ssh [EMAIL PROTECTED] ls /home/bob/ and the user's shell is set to /bin/bash, then the shell executed on remotehost.com will be equivalent to executing /bin/bash -c ls /home/bob/ instead of the user's normal login shell. So, if you set the user's shell to /bin/true, all that will happen when your friendly hacker tries to connect with $ ssh [EMAIL PROTECTED] /bin/bash is that instead of runing a shell, the benign command /bin/true -c /bin/bash will run. After the shell that ssh tries to execute exits, ssh immediately closes the connection, so when /bin/true exits (which is immediately, of course) ssh will close the connection, not allowing the remote user any further actions. This is all fine and dandy, but it doesn't answer the initial question of how to make scp work, but not allow shell logins; here goes on that one: Scp, in simplified terms, is just a wrapper for ssh, if I run $ scp [EMAIL PROTECTED]:/home/bob/file.txt /home/alice/file.txt scp will make the connection to the remote host with ssh, and request that another copy of scp be run on the remote host. The details aren't important, but it runs something like the command ssh [EMAIL PROTECTED] scp -f /home/bob/file.txt which in turn connects to remotehost.com and passes the specified command to bob's shell as /bin/bash -c scp -f /home/bob/file.txt Now, the trick is to replace bob's shell with a (perl?) script that takes -c argument passed and checks if scp is the intended command. If scp *isn't* the intended command, it merely exits, thus closing the remote connection and effectively denying access to other commands. If scp *is* what was requested, the script could just exec scp with the requested options in place of itself and everything should continue as normal. If you wanted to, you could even get really fancy and have the script deny access to certain directories or types of files. Of course, I don't imagine that the ssh/scp combo was intended to be used like this, so one should be careful while implementing, but other than that, the only downside I can think of is that the user on the remote system becomes useless for any purpose other than scp-ing. Hope that makes sense. Later, Jeff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
scp, no ssh
How to allow, for some users' IPs, only scp and no ssh?
Re: scp, no ssh
also sprach Robert Janusz [EMAIL PROTECTED] [2002.01.09.0949 +0100]: How to allow, for some users' IPs, only scp and no ssh? i don't think you can, since scp actually uses ssh as its backend... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] syntactic sugar causes cancer of the semicolon. -- epigrams in programming pgpQGjK7pYOsl.pgp Description: PGP signature
Re: scp, no ssh
also sprach Robert Janusz [EMAIL PROTECTED] [2002.01.09.0949 +0100]: How to allow, for some users' IPs, only scp and no ssh? you *could* disable their passwords, give them DSA identities, and use the authorized_keys file to specify that this identity may only run the scp command... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] it may look like i'm just sitting here doing nothing. but i'm really actively waiting for all my problems to go away. pgp8BILJ3POPt.pgp Description: PGP signature
Re: scp, no ssh
On Wed, Jan 09, 2002 at 02:38:30PM +0100, martin f krafft wrote: also sprach Robert Janusz [EMAIL PROTECTED] [2002.01.09.0949 +0100]: How to allow, for some users' IPs, only scp and no ssh? i don't think you can, since scp actually uses ssh as its backend... You're right. This is not possible. scp uses port 22 to transfer. If you block out this port - you block ssh, too. Michael -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] syntactic sugar causes cancer of the semicolon. -- epigrams in programming
Fwd: scp, no ssh
how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. -- Forwarded Message -- Subject: scp, no ssh Date: Wed, 9 Jan 2002 09:49:10 +0100 From: Robert Janusz [EMAIL PROTECTED] To: debian-isp@lists.debian.org How to allow, for some users' IPs, only scp and no ssh? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] an.org with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ---
Re: Fwd: scp, no ssh
On Wednesday 09 January 2002 21:23, Joel Michael wrote: On Thu, 2002-01-10 at 12:19, Tim Quinlan wrote: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. This is true, but you can still (probably) use ssh to execute commands, like /bin/sh, and effectively get a shell. you may be right, as i've never tried this with scp but what true does (as a shell) is log you out instantly. so, in theory, you couldn't execute a command from ssh because as soon as you authenticate, true would log you out.
Re: scp, no ssh
On Wed, 2002-01-09 at 21:23, Joel Michael wrote: On Thu, 2002-01-10 at 12:19, Tim Quinlan wrote: how about setting the user's shell to /bin/true. this allows ftp, but no login shell. so it may work for scp as well. This is true, but you can still (probably) use ssh to execute commands, like /bin/sh, and effectively get a shell. The above assumption is wrong. Ssh executes commands by passing them as arguments to the user's shell. For example, if the user executes the ls command by connecting with $ ssh [EMAIL PROTECTED] ls /home/bob/ and the user's shell is set to /bin/bash, then the shell executed on remotehost.com will be equivalent to executing /bin/bash -c ls /home/bob/ instead of the user's normal login shell. So, if you set the user's shell to /bin/true, all that will happen when your friendly hacker tries to connect with $ ssh [EMAIL PROTECTED] /bin/bash is that instead of runing a shell, the benign command /bin/true -c /bin/bash will run. After the shell that ssh tries to execute exits, ssh immediately closes the connection, so when /bin/true exits (which is immediately, of course) ssh will close the connection, not allowing the remote user any further actions. This is all fine and dandy, but it doesn't answer the initial question of how to make scp work, but not allow shell logins; here goes on that one: Scp, in simplified terms, is just a wrapper for ssh, if I run $ scp [EMAIL PROTECTED]:/home/bob/file.txt /home/alice/file.txt scp will make the connection to the remote host with ssh, and request that another copy of scp be run on the remote host. The details aren't important, but it runs something like the command ssh [EMAIL PROTECTED] scp -f /home/bob/file.txt which in turn connects to remotehost.com and passes the specified command to bob's shell as /bin/bash -c scp -f /home/bob/file.txt Now, the trick is to replace bob's shell with a (perl?) script that takes -c argument passed and checks if scp is the intended command. If scp *isn't* the intended command, it merely exits, thus closing the remote connection and effectively denying access to other commands. If scp *is* what was requested, the script could just exec scp with the requested options in place of itself and everything should continue as normal. If you wanted to, you could even get really fancy and have the script deny access to certain directories or types of files. Of course, I don't imagine that the ssh/scp combo was intended to be used like this, so one should be careful while implementing, but other than that, the only downside I can think of is that the user on the remote system becomes useless for any purpose other than scp-ing. Hope that makes sense. Later, Jeff