[TriLUG] SCP, Chroot

Owen Berry oberry at trilug.org
Tue Jan 17 10:30:26 EST 2006


How's this for an idea:

+ Set them up so they can only login over ssh using public key
authentication, either setting it globally, or setting their password
and not telling them what it is.

+ In the authorized_keys file specify a command that will be run
whenever they login. See man 8 sshd for details.

+ Create a script that takes a file name from the environment variable
SSH_ORIGINAL_COMMAND, reads from stdin and dumps the input to the file
as specified by the name (use dd), in whatever directory you choose.
Make sure the script only does what you want - remove file paths and
other bad characters from the file name, and other precautions.

+ User then executes this to copy a file:

	cat filename.mp3 | ssh user at host filename.mp3

If they try anything else they get kicked back with an error message
from the script.

Owen

On Tue, Jan 17, 2006 at 10:03:25AM -0500, Mark Freeze wrote:
> I created a user called 'uploads' with all the permissions and stuff that a
> normal user would have.  I changed the shell to /bin/false and tried to scp
> from my laptop with no success.  I would issue the scp command and it would
> ask me for a password.  However, after entering the password it would always
> say 'lost connection'.  I changed the shell back to /bin/bash and it worked
> normally after that.
> 
> I may try to look over the script from the website that Rick pointed out if
> no one else has any ideas.
> 
> The web form idea from Cristobal was a good idea, but I am trying to do this
> from a script.  My offices downtown are on OSX and they are trying to set up
> scripts that will automatically send me files. So, I told them they could
> just scp the files over to me.  I could probably just issue them an id and
> they would add it to their script and forget about it.  However, I just
> don't want an id floating around out there that someone could use and just
> go browsing around the fs, looking at whatever they wanted.  (Was it the
> Kinks that said, "Paranoia will destroy ya...")  I could also set up a
> chroot jail with proftp but I'd really like to use scp and get this figured
> out for future use.
> 
> Thanks to everyone for their help!
> 
> Thanks,
> Mark.
> 
> 
> On 1/16/06, William Sutton <william at trilug.org> wrote:
> >
> > What happens if you put /bin/false for the shell?  should let them scp to
> > only where they have permission (e.g., home/user) but not login, correct?
> >
> > --
> > William Sutton
> >
> >
> > On Mon, 16 Jan 2006, Mark Freeze wrote:
> >
> > > What are some ways to restrict a ssh user to their home (or any)
> > > directory?  What I am trying to do is set up a username that is jailed
> > to a
> > > specific directory so users can drop off files via SCP.   I don't want
> > them
> > > navigating around the fs if they were to log in with ssh. And, what
> > about if
> > > they tried to SCP a file to somewhere other than /home/username? I
> > looked at
> > > chrooting but that would just restrict them if they logged in.  I saw
> > this
> > > package http://www.sublimation.org/scponly/ but I was trying to do this
> > on
> > > my server without adding a bunch of packages or 3rd-Party stuff.
> > >
> > > Thanks,
> > > Mark.
> > > --



More information about the TriLUG mailing list