On Thu, 17 May 2001, Jesse Adelman wrote:
> Hello, good SSH users and developers. I need to set up SSH such that users
> can scp and sftp but NOT log in to a shell. I've attempted to set a shell as
> /bin/<doesnotexist>, but that breaks SSH generally, including scp and sftp.
> What is the best/preferred method for disabling shell access and allowing
> scp and sftp to work?
>
> Systems used: RH Linux, Solaris 8
I also once had this problem. Here's how I solved it:
Step 1) Get the latest source of GNU bash and compile it with
--enable-restricted supplied as one of the options for
configure. Install bash (usually, it will be
installed on /usr/local/bin).
Step 2) Create a shell script (in this example, I'll call
it /usr/bin/newbash), chmod 755.
The contents of this shell script is a two-liner:
#!/usr/local/bin/bash
/usr/local/bin/bash --restricted --rcfile /etc/newbash_profile
Step 3) Create the newbash_profile mentioned above. Copy this
to /etc.
# Set the default system $PATH:
PATH="$HOME/bin"
PS1='\h:\w\$ '
export PATH PS1
# Default umask. A umask of 022 prevents new files from
# being created, group and world writable.
umask 022
Step 4) Create subdirectory "bin" just under the home directory
of user, as mentioned in the PATH in Step 3.
Step 5) Put in bin all executables that will be needed by user
(except bash itself! If you let the user execute bash,
he can now "break out" of his restrictions, e.g. user
can now cd to other dirs!) If you only need scp, just
copy this to the user's $HOME/bin. Also, throw in "ls"
(so that your user knows what's in his directory!)
Step 6) Change the "shell" field of the user in /etc/passwd to
/usr/bin/newbash
Example:
old entry:
user:x:106:700:First M. Last,TestUser,,555-9222:/home/user:/bin/bash
new entry:
user:x:106:700:First M. Last,TestUser,,555-9222:/home/user:/usr/bin/newbash
Cheers!
--------------------
"Security begins as a state of mind."
-- NSA Manual
