Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

allowing scp but not ssh (here's how) (WHOOPS)



Thanks for the info!

-----Original Message-----
From: John Abreau [mailto:jabr at blu.org]
Sent: Wednesday, July 31, 2002 3:29 PM
To: Scott Prive
Cc: Alex Pennace; Struts User; discuss at blu.org
Subject: Re: allowing scp but not ssh (here's how) (WHOOPS) 


"Scott Prive" <Scott.Prive at storigen.com> writes:


> I would have thought rbash could be configured to disallow this 
> (or ignore rc files altogether). That may or may not be possible 
> (there is always the source), but I'm very surprised this problem 
> has not been solved before.

This problem in fact has been solved before, in the commercial ssh
server; it comes with a dummy shell for just this purpose.

I just wrote a test script to verify the behavior by logging its
parameters
and stdin to a file on the server. When using openssh's scp as follows:

    % scp /etc/termcap user at server:

the log shows that the shell on the remote end was invoked with the 
parameters "-c scp -t ." 

    % scp /etc/termcap user at server:/tmp/foo

resulted in the parameters "-c scp -t /tmp/foo"

So you can write a dummy shell that checks those parameters and fires up
scp if it's requested, or prints a "no logins allowed" message
otherwise.

    sftp user at server

yields the parameters "-c /usr/libexec/openssh/sftp-server", so you
should allow for that as well.


-- 
John Abreau / Executive Director, Boston Linux & Unix 
ICQ 28611923 / AIM abreauj / JABBER jabr at jabber.org / YAHOO abreauj
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9
PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99

"An idealist is just a farsighted pragmatist."  -Anon






BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org