allowing scp but not ssh (here's how)
Scott Prive
Scott.Prive at storigen.com
Tue Jul 30 09:59:26 EDT 2002
Hmm, no, the "ssh lockout" still succeeds in allowing scp but no ssh.
There must be something else that was done to secure this box... I am guessing that rbash, being a restricted shell, refuses to read in .rc files from the home directory. Here is my attempted login:
(for anyone tuning in to the thread late, this is an attempt at securing a box against ssh while still allowing scp. :)
Administrator at PRIVES /cygdrive/c/temp
$ pwd
/cygdrive/c/temp
Administrator at PRIVES /cygdrive/c/temp
$ ls
Administrator at PRIVES /cygdrive/c/temp
$ mkdir .ssh
Administrator at PRIVES /cygdrive/c/temp
$ touch .ssh/foo
Administrator at PRIVES /cygdrive/c/temp
$ ls -l .ssh/foo
-rw-r--r-- 1 Administ None 0 Jul 30 09:42 .ssh/foo
Administrator at PRIVES /cygdrive/c/temp
$ scp -r .ssh/ qatest at tower15:/sfs/qatest
qatest at tower15's password:
foo 100% |***************************************************| 0 00:00
Administrator at PRIVES /cygdrive/c/temp
$ ssh qatest at tower15
qatest at tower15's password:
We're sorry, but you do not have shell access to this machine.
Please contact the system administrator for support.
Connection to tower15 closed.
Administrator at PRIVES /cygdrive/c/temp
$
### At this point, the ssh lockout still holds. I'll go in as root, just to verify the account & system.
Administrator at PRIVES /cygdrive/c/temp
$ ssh root at tower15
root at tower15's password:
Welcome to the Storigen Edge Storage Server platform.
[root at tower15 /root]# grep qatest /etc/passwd
qatest:x:507:507:tower15a.storigen.com Account:/sfs/qatest:/bin/rbash
[root at tower15 /root]# ls -la /sfs/qa
qafiles qatest
[root at tower15 /root]# ls -la /sfs/qatest/
.bash_profile .inputrc cli.pl stest.tar
.bashrc .ssh ftp.pl
[root at tower15 /root]# ls -la /sfs/qatest/.ssh/foo
-rw-r--r-- 1 qatest qatest 0 Jul 30 09:37 /sfs/qatest/.ssh/foo
[root at tower15 /root]#
####################
My understanding is, .ssh is only read in UPON a successful login. I don't think the system ever gets that far, due to the shell script (see earlier email) that auto-kills login processes of users who default to rbash.
If what I've shown so far does not work for you, I'll look to verify my information with the system designer, and provide a better answer than I have :)
-Scott
-----Original Message-----
From: Alex Pennace [mailto:alex at pennace.org]
Sent: Monday, July 29, 2002 8:53 PM
To: Scott Prive
Cc: Struts User; discuss at blu.org
Subject: Re: allowing scp but not ssh (here's how)
On Mon, Jul 29, 2002 at 09:45:25AM -0400, Scott Prive wrote:
> Ah yes, sorry, I *did* intend to copy in the source if the refusal message. :-)
>
> Here's what you'd add. There could be something else to this, but I didn't see any symlink trickery.
>
> This setup allows specific users (determined by their login shell). Out of curiosity, I have not found any way to defeat this, if my only "account" is one of these rbash-designated accounts.
>
> # cat /etc/ssh/sshrc
[snip]
/etc/ssh/sshrc is executed only when ~/.ssh/rc doesn't exist (at least
that's how my sshd works). Make a zero-length ~/.ssh/rc.
More information about the Discuss
mailing list