A friend of mine emailed me and made this comment: >i dont know what happens behind the >scenes with scp but if it logs you in >temporarily before you copy then you >could just do a chroot jail for people >who tried to use the login to actually >log in instead of just using it for scp. >The chroot should work for scp also.
Is this correct? Does SCP log you in temporarily before it copies and then logs out? If so, I guess a chroot jail would work. If you were to try and scp to a directory outside of your home structure it would tell you that it didn't exist. Any opinions? Thanks, Mark. On 1/17/06, Owen Berry <[EMAIL PROTECTED]> wrote: > > How's this for an idea: > > + Set them up so they can only login over ssh using public key > authentication, either setting it globally, or setting their password > and not telling them what it is. > > + In the authorized_keys file specify a command that will be run > whenever they login. See man 8 sshd for details. > > + Create a script that takes a file name from the environment variable > SSH_ORIGINAL_COMMAND, reads from stdin and dumps the input to the file > as specified by the name (use dd), in whatever directory you choose. > Make sure the script only does what you want - remove file paths and > other bad characters from the file name, and other precautions. > > + User then executes this to copy a file: > > cat filename.mp3 | ssh [EMAIL PROTECTED] filename.mp3 > > If they try anything else they get kicked back with an error message > from the script. > > Owen > > On Tue, Jan 17, 2006 at 10:03:25AM -0500, Mark Freeze wrote: > > I created a user called 'uploads' with all the permissions and stuff > that a > > normal user would have. I changed the shell to /bin/false and tried to > scp > > from my laptop with no success. I would issue the scp command and it > would > > ask me for a password. However, after entering the password it would > always > > say 'lost connection'. I changed the shell back to /bin/bash and it > worked > > normally after that. > > > > I may try to look over the script from the website that Rick pointed out > if > > no one else has any ideas. > > > > The web form idea from Cristobal was a good idea, but I am trying to do > this > > from a script. My offices downtown are on OSX and they are trying to > set up > > scripts that will automatically send me files. So, I told them they > could > > just scp the files over to me. I could probably just issue them an id > and > > they would add it to their script and forget about it. However, I just > > don't want an id floating around out there that someone could use and > just > > go browsing around the fs, looking at whatever they wanted. (Was it the > > Kinks that said, "Paranoia will destroy ya...") I could also set up a > > chroot jail with proftp but I'd really like to use scp and get this > figured > > out for future use. > > > > Thanks to everyone for their help! > > > > Thanks, > > Mark. > > > > > > On 1/16/06, William Sutton <[EMAIL PROTECTED]> wrote: > > > > > > What happens if you put /bin/false for the shell? should let them scp > to > > > only where they have permission (e.g., home/user) but not login, > correct? > > > > > > -- > > > William Sutton > > > > > > > > > On Mon, 16 Jan 2006, Mark Freeze wrote: > > > > > > > What are some ways to restrict a ssh user to their home (or any) > > > > directory? What I am trying to do is set up a username that is > jailed > > > to a > > > > specific directory so users can drop off files via SCP. I don't > want > > > them > > > > navigating around the fs if they were to log in with ssh. And, what > > > about if > > > > they tried to SCP a file to somewhere other than /home/username? I > > > looked at > > > > chrooting but that would just restrict them if they logged in. I > saw > > > this > > > > package http://www.sublimation.org/scponly/ but I was trying to do > this > > > on > > > > my server without adding a bunch of packages or 3rd-Party stuff. > > > > > > > > Thanks, > > > > Mark. > > > > -- > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
