[TriLUG] SCP, Chroot

Mark Freeze mfreeze at gmail.com
Tue Jan 17 13:58:03 EST 2006 

A friend of mine emailed me and made this comment:

>i dont know what happens behind the
>scenes with scp but if it logs you in
>temporarily before you copy then you
>could just do a chroot jail for people
>who tried to use the login to actually
>log in instead of just using it for scp.
>The chroot should work for scp also.

Is this correct?  Does SCP log you in temporarily before it copies and then
logs out?  If so, I guess a chroot jail would work.  If you were to try and
scp to a directory outside of your home structure it would tell you that it
didn't exist.

Any opinions?

Thanks,
Mark.


On 1/17/06, Owen Berry <oberry at trilug.org> wrote:
>
> How's this for an idea:
>
> + Set them up so they can only login over ssh using public key
> authentication, either setting it globally, or setting their password
> and not telling them what it is.
>
> + In the authorized_keys file specify a command that will be run
> whenever they login. See man 8 sshd for details.
>
> + Create a script that takes a file name from the environment variable
> SSH_ORIGINAL_COMMAND, reads from stdin and dumps the input to the file
> as specified by the name (use dd), in whatever directory you choose.
> Make sure the script only does what you want - remove file paths and
> other bad characters from the file name, and other precautions.
>
> + User then executes this to copy a file:
>
>        cat filename.mp3 | ssh user at host filename.mp3
>
> If they try anything else they get kicked back with an error message
> from the script.
>
> Owen
>
> On Tue, Jan 17, 2006 at 10:03:25AM -0500, Mark Freeze wrote:
> > I created a user called 'uploads' with all the permissions and stuff
> that a
> > normal user would have.  I changed the shell to /bin/false and tried to
> scp
> > from my laptop with no success.  I would issue the scp command and it
> would
> > ask me for a password.  However, after entering the password it would
> always
> > say 'lost connection'.  I changed the shell back to /bin/bash and it
> worked
> > normally after that.
> >
> > I may try to look over the script from the website that Rick pointed out
> if
> > no one else has any ideas.
> >
> > The web form idea from Cristobal was a good idea, but I am trying to do
> this
> > from a script.  My offices downtown are on OSX and they are trying to
> set up
> > scripts that will automatically send me files. So, I told them they
> could
> > just scp the files over to me.  I could probably just issue them an id
> and
> > they would add it to their script and forget about it.  However, I just
> > don't want an id floating around out there that someone could use and
> just
> > go browsing around the fs, looking at whatever they wanted.  (Was it the
> > Kinks that said, "Paranoia will destroy ya...")  I could also set up a
> > chroot jail with proftp but I'd really like to use scp and get this
> figured
> > out for future use.
> >
> > Thanks to everyone for their help!
> >
> > Thanks,
> > Mark.
> >
> >
> > On 1/16/06, William Sutton <william at trilug.org> wrote:
> > >
> > > What happens if you put /bin/false for the shell?  should let them scp
> to
> > > only where they have permission (e.g., home/user) but not login,
> correct?
> > >
> > > --
> > > William Sutton
> > >
> > >
> > > On Mon, 16 Jan 2006, Mark Freeze wrote:
> > >
> > > > What are some ways to restrict a ssh user to their home (or any)
> > > > directory?  What I am trying to do is set up a username that is
> jailed
> > > to a
> > > > specific directory so users can drop off files via SCP.   I don't
> want
> > > them
> > > > navigating around the fs if they were to log in with ssh. And, what
> > > about if
> > > > they tried to SCP a file to somewhere other than /home/username? I
> > > looked at
> > > > chrooting but that would just restrict them if they logged in.  I
> saw
> > > this
> > > > package http://www.sublimation.org/scponly/ but I was trying to do
> this
> > > on
> > > > my server without adding a bunch of packages or 3rd-Party stuff.
> > > >
> > > > Thanks,
> > > > Mark.
> > > > --
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>

More information about the TriLUG mailing list