SLUG Mailing List Archives
Re: [SLUG] Restricting ssh.
- To: Ben Leslie <benno@xxxxxxxxxxxx>
- Subject: Re: [SLUG] Restricting ssh.
- From: Conrad Parker <conradp@xxxxxxxxxxxxxxx>
- Date: Mon Oct 30 12:43:14 2000
- Cc: Rodos <rodos@xxxxxxxxxxx>, Syndey Linux Users Group <slug@xxxxxxxxxxx>
On Mon, Oct 30, 2000 at 12:18:21PM +1100, Ben Leslie wrote:
> On Mon, 30 Oct 2000, Rodos wrote:
> > Is there a way to allow people to use scp to copy files over ssh but not
> > to login in over ssh?
> > I am using Debian if it matters. I found all the config options in man
> > sshd but there is no mentio of the interworking of scp and sshd appart
> > from the scp man page says " It uses ssh(1) for data transfer, and uses
> > the same authentication and provides the same security as ssh(1)." Looks
> > like I might be out of luck.
> Probably doesn't help but could you set their shell to /bin/true or something?
> (But I guess they need to login from elsewhere, maybe you can set their shell
> to /bin/true only if they log in from ssh?)
if you use RSA keys for the ssh authentication, you can restrict the
commands that can be run from certain keys. Most commonly, you set
the key to only run something like "sleep 20", which as a side
effect keeps the ssh connection open long enough to set up a port
redirection or, in this case I'm guessing it would allow the copy to
occur (assuming the initiation of the copy happens orthogonally to the
initiation of a shell command, just like the initiation of a port
redirection happens oathoganally to the shell).
check the section AUTHORIZED_KEYS FILE FORMAT in the sshd man page
for more details.