allowing scp but not ssh (here's how) (WHOOPS)
John Abreau
jabr at blu.org
Wed Jul 31 15:28:40 EDT 2002
"Scott Prive" <Scott.Prive at storigen.com> writes:
> I would have thought rbash could be configured to disallow this
> (or ignore rc files altogether). That may or may not be possible
> (there is always the source), but I'm very surprised this problem
> has not been solved before.
This problem in fact has been solved before, in the commercial ssh
server; it comes with a dummy shell for just this purpose.
I just wrote a test script to verify the behavior by logging its parameters
and stdin to a file on the server. When using openssh's scp as follows:
% scp /etc/termcap user at server:
the log shows that the shell on the remote end was invoked with the
parameters "-c scp -t ."
% scp /etc/termcap user at server:/tmp/foo
resulted in the parameters "-c scp -t /tmp/foo"
So you can write a dummy shell that checks those parameters and fires up
scp if it's requested, or prints a "no logins allowed" message otherwise.
sftp user at server
yields the parameters "-c /usr/libexec/openssh/sftp-server", so you
should allow for that as well.
--
John Abreau / Executive Director, Boston Linux & Unix
ICQ 28611923 / AIM abreauj / JABBER jabr at jabber.org / YAHOO abreauj
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9
PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99
"An idealist is just a farsighted pragmatist." -Anon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 344 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20020731/8cc45d68/attachment.sig>
More information about the Discuss
mailing list