Re: scp as root, but not ssh?


Colin B. wrote:
Hey all;

Just a quick question. Is it possible to allow scp between machines as root
(with appropriate passwords) but still disallow ssh login as root? I can't
see any options in sshd_config, and I don't recall seeing it before, but it
would be awfully handy.

Thanks,
Colin

You might want to have a play with this:

$ cat scp_only
#!/usr/bin/sh
#
# Use this to prevent accounts from doing anything other than scp
transfers and even then
# only within their own HOME directory.
#
# If you wanted to, you could stick a couple of symlinks in their $HOME
to allow them
# to get to specific areas, but go easy...
#
#
# To make use of this program, you need to amend the line in the target
accounts
# authorized_keys in as below:
#
# Authorized_keys:
# command="/opt/bluesq/admin/scp_only" ssh-rsa
AAAAB3NzaC1yc2EAAA***blah***blah***
#
# Martin Hutchins
# Jan 2006
#
echo $SSH_ORIGINAL_COMMAND | nawk '
{
if ($1 != "scp")
{
print "Only 'scp' is permitted to this account\n";
exit(1)
}

/* Only allow 'uploads' (-t) but also allow directory
specification (-d) */
/*

I have commented this lump out again, as I believe it
may be desireable to
allow people to up and down load.
As it is, the path checks below will stop any 'naughty'
downloads, so I
think this extra bit is probably a bit anal!
for(i=1 ; i <= NF ; i++) {
if (i > 1 && i < NF)
{
if ($i != "-t" && $i != "-d")
{
print "Ilegal flag!:" $i
exit(1);
}
}
}

*/
/*
Last field ($NF) is always going to be the destination
make sure it passes 'muster'
*/
if (match($NF, /^\//))
{
print "Absolute paths forbidden!";
exit(1);
}
if (match($NF, /\.\./))
{
print "Upward Relative paths forbidden!";
exit(1);
}
exit(0);
} ' && $SSH_ORIGINAL_COMMAND

.

Relevant Pages

  • Re: [Full-Disclosure] Re: Re: Any update on SSH brute force attempts?
    ... automated use of 'scp' etc. ... > places that require root access. ... Allowing root ssh access but setting policy on its use seems a better option ...
    (Full-Disclosure)
  • Re: ssh remote command problem;
    ... I did the fix as a normal user. ... (we have many other users so I prefer not to mess with my root ... But it seems to get invked on outgoing scp calls as well. ...
    (comp.security.ssh)
  • Re: ssh remote command problem;
    ... (we have many other users so I prefer not to mess with my root ... You can do what the scp code itself does: ... I had made another easy hack so that the post-processor was ... i.e. post-processing only on incoming scp's. ...
    (comp.security.ssh)
  • Re: multihost master.passwd sync
    ... On Tuesday 27 May 2003 12:31 pm, Andy Harrison wrote: ... >> so you scp the file to a directory owned by a user designated to only do ... > Root can't scp a file from one host to another where remote root login is ...
    (FreeBSD-Security)
  • Re: Changing home directory
    ... I want to change my home directory from /home/me to /tmp/me without getting root involved. ... It also means that whether I do ssh or scp or ftp or telnet it should see my home directory as /tmp/me. ...
    (Fedora)