Re: scp as root, but not ssh?




Colin B. wrote:
Hey all;

Just a quick question. Is it possible to allow scp between machines as root
(with appropriate passwords) but still disallow ssh login as root? I can't
see any options in sshd_config, and I don't recall seeing it before, but it
would be awfully handy.

Thanks,
Colin

You might want to have a play with this:

$ cat scp_only
#!/usr/bin/sh
#
# Use this to prevent accounts from doing anything other than scp
transfers and even then
# only within their own HOME directory.
#
# If you wanted to, you could stick a couple of symlinks in their $HOME
to allow them
# to get to specific areas, but go easy...
#
#
# To make use of this program, you need to amend the line in the target
accounts
# authorized_keys in as below:
#
# Authorized_keys:
# command="/opt/bluesq/admin/scp_only" ssh-rsa
AAAAB3NzaC1yc2EAAA***blah***blah***
#
# Martin Hutchins
# Jan 2006
#
echo $SSH_ORIGINAL_COMMAND | nawk '
{
if ($1 != "scp")
{
print "Only 'scp' is permitted to this account\n";
exit(1)
}

/* Only allow 'uploads' (-t) but also allow directory
specification (-d) */
/*

I have commented this lump out again, as I believe it
may be desireable to
allow people to up and down load.
As it is, the path checks below will stop any 'naughty'
downloads, so I
think this extra bit is probably a bit anal!
for(i=1 ; i <= NF ; i++) {
if (i > 1 && i < NF)
{
if ($i != "-t" && $i != "-d")
{
print "Ilegal flag!:" $i
exit(1);
}
}
}

*/
/*
Last field ($NF) is always going to be the destination
make sure it passes 'muster'
*/
if (match($NF, /^\//))
{
print "Absolute paths forbidden!";
exit(1);
}
if (match($NF, /\.\./))
{
print "Upward Relative paths forbidden!";
exit(1);
}
exit(0);
} ' && $SSH_ORIGINAL_COMMAND

.