Re: Creating account with SCP ONLY

• Previous message: jedit-devel-admin_at_lists.sourceforge.net: "Your message to jEdit-devel awaits moderator approval"
• In reply to: Andrew Thompson: "Re: Creating account with SCP ONLY"
• Next in thread: Eric W. Bates: "Re: Creating account with SCP ONLY"
• Reply: Eric W. Bates: "Re: Creating account with SCP ONLY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: "Andrew Thompson" <andy@fud.org.nz>, "Ralph Forsythe" <rf-list@centerone.com>
Date: Thu, 21 Aug 2003 10:46:41 -0400

----- Original Message -----
From: "Andrew Thompson" <andy@fud.org.nz>
To: "Ralph Forsythe" <rf-list@centerone.com>
Cc: <freebsd-isp@freebsd.org>
Sent: Thursday, August 21, 2003 1:30 AM
Subject: Re: Creating account with SCP ONLY


> On Thu, 2003-08-21 at 17:25, Ralph Forsythe wrote:
> > Since we're talking about limiting ssh access right now... I need to
> > create user accounts that cannot use the shell, but can still move files
> > around via scp/sftp. We have FTP disabled, and as we start to bring users
> > online I do not want them having shell capabilities for security reasons.
> >
>
> /usr/ports/shells/scponly

I was interested to learn of this port and we tried it this morning.; but we can't make it work.

Setting debug level 2 in /usr/local/etc/scponly/debuglevel we get denied:

 ** ericx@king1 ** ~ ** Thu Aug 21 10:40:55
$ scp bdrtest@k2:/usr/local/customers/customers.king2/bdrtest/personal/foo.txt .
bdrtest@king2.vineyard.net's password:
[48256]: 3 arguments in total.
[48256]: arg 0 is scponly
[48256]: arg 1 is -c
[48256]: arg 2 is scp -f /usr/local/customers/customers.king2/bdrtest/personal/foo.txt
[48256]: opened log at LOG_AUTHPRIV, opts 0x00000029
[48256]: retrieved home directory of "/usr/local/customers/customers.king2/./bdrtest" for user "bdrtest"
[48256]: setting uid to 3575
[48256]: processing request: "scp -f /usr/local/customers/customers.king2/bdrtest/personal/foo.txt"

[48256]: denied request: scp -f /usr/local/customers/customers.king2/bdrtest/personal/foo.txt [username: bdrtest(3575), IP/port: 204.17.195.90 1483 22]

Apparantly this question has been asked on the scponly mailing list; but never answered.

> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>

_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

• Previous message: jedit-devel-admin_at_lists.sourceforge.net: "Your message to jEdit-devel awaits moderator approval"
• In reply to: Andrew Thompson: "Re: Creating account with SCP ONLY"
• Next in thread: Eric W. Bates: "Re: Creating account with SCP ONLY"
• Reply: Eric W. Bates: "Re: Creating account with SCP ONLY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

• vulnerabilities in scponly
  ... without allowing shell access. ... scponly makes no effort to verify
  the path to the scp or sftp-server ... arbitrary commands by simply uploading a file. ...
  However, if this is *NOT* the case, the user could execute arbitrary ... (Bugtraq)
• Re: scp does not copy, no error msg, ssh works
  ... > scp gets confused if there is any output from the target. ... sourced on
  every interactive invocation of the shell. ... only when it's a login shell.
  ... (Debian-User)
• Re: scp syntax and denied permission
  ... >> this is sort of a newby question but in some regards it might be not. ...
  > The tilde is interpreted by the shell and ... on the destination system, so
  if home dirs are different on the 2 boxes, you'll ... >> When I try to copy the next higher
  directory the scp starts but once ... (comp.unix.shell)
• Re: Difference between SCP and SFTP ?
  ... >>But It's seems that SCP need a user Shell, ... > sftp is just
  FTP over SSH. ... It's interface is similar to FTP, ... (comp.security.ssh)
• Re: scp exploit
  ... want scp, but not necessarily the ability to pass in commands. ... server's
  running a restricted shell then the shell ought to filter the ... from sending a command
  string via ssh containing ";" (or any other shell ... (comp.security.ssh)