On Tue, Sep 05, 2006 at 12:04:07PM -0500, Mark Holden wrote, and it was proclaimed: > I forgot to mention that we're using RHEL AS3 (currently at update 8) > and RHEL AS4 (currently at update 4). Does scponly support these > distributions? > > From a quick read of the scponly web page: > > - it seems to indiate that SFTP will work as well--is that actually the > case?
Yes, I use it for many clients to have secured file-only access via SFTP client software. > > - it appears to require a chroot'd environment. If this is the case, > then I assume that the target dropbox will have to be in that users's > chroot'd environment. If so, then I assume it would make sense to > replace the global dropbox that the rest of the system/users use to be a > symbolic link to the dropbox in that user's chroot'd environment (so > they don't have to see the gory details of chroot'd environments). It doesn't require a chroot. It offers a chroot as an option. Basically, this means that chdir(..) will only be possible inside the chroot and only internal symlinks will be awarded. You don't need to run any > > - I assume this would be a patched to the openssh package? Or is it > simply installing the scponly shell on the system and pointing that user > id at that shell in /etc/passwd? Not a patch. It is a user's shell, simply use it instead of /bin/nologin or /bin/bash. The SSH "sftp" protocol effectively logs in the user using: bash$ ssh [EMAIL PROTECTED] sftp-server (though there are a few other details) That basically does a "remote execute" of "sftp-server" on the remote host, and connects your stdin to its stdin, and its stdout to your stdout. You can generally run any command on a remote machine in this fashion: bash$ ssh [EMAIL PROTECTED] top So its nothing really special to just make a drop-in replacement for a shell that will only allow sftp-server and scp to be run, while disallowing everything else. I actually crafted a similar "restricted shell tool" for rsync-over-ssh, which uses effectively the same principle. > > I'm busied out with another deliverable at the moment, so will dig > deeper into what you mention below in the next coupld of days > (hopefully). > > By the way, the pizzashack reference seems to indicate that there are > security risks, so that concerns me. Does "scponly" have security risks > as well? Never heard of the pizzashack thing until recently, scponly is in Gentoo portage... also FreeBSD ports has it, and it seems widely accepted. > > Thanks! > Mark > > > > -----Original Message----- > From: Benjamin Donnachie [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 05, 2006 11:53 AM > To: [email protected] > Cc: Holden, Mark (RICH1:B670) > Subject: Re: openssh: Enabling sftp, but disabling ssh? > > > Mark Holden wrote: > > Does anybody know if it's possible, using openssh, to allow file > > transfer to/from a machine, using sftp, for a specific userid, and > > disallow ssh login/remote command execution for that same userid? > > Other userids on the machine should be unaffected. > > I do exactly that on my system; you can't achieve it with OpenSSH alone > and need to use a helper allocation such as either scponly[1] or > rssh[2]. > > Ben > > [1] http://www.sublimation.org/scponly/ > [2] http://www.pizzashack.org/rssh/
