LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   Need user account which can connect by ssh but not login locally nor run shell (http://www.linuxquestions.org/questions/linux-general-1/need-user-account-which-can-connect-by-ssh-but-not-login-locally-nor-run-shell-889426/)

taylorkh 07-01-2011 02:00 PM

Need user account which can connect by ssh but not login locally nor run shell
 
I wish to create a user account on my server which will be used ONLY to transfer files to/from the server over ssh. I do not want the account to be able to login at the console of the server, nor to be able to invoke a shell once it is connect to the server over ssh.

I think I recall being able to do this on HPUX (well actually I requested the account to be setup and the Unix admin created it and turned it over to me). I have no idea how this was done. Can anyone point me in the right direction? I am running Ubuntu 10.04 on the server if that matters.

TIA,

Ken

pingu 07-01-2011 02:23 PM

AFAIK that can not be done with pure ssh - ssh is "secure shell", you login to a shell on a remote computer with it.
What you are after is probably sftp, to the user it behaves just like ftp but transfer is with ssh - at least this is how I understand the docs, never used it just read about it so please don't shoot me if I'm wrong! ;-)

taylorkh 07-01-2011 02:41 PM

Thanks pingu, my bad. I am connecting with gnome-commander which has the choice "ssh" but which actually connects with "sftp". No shell is involved in the connection. On the other hand gnome-commander stores the password used for the connection in plain text :mad: and the "use gnome keyring" in gnome-commander does not work :mad::mad: so my work around for the moment is to use a do very little account to make the connection.

I really need to rethink the whole approach to connecting from my PC to the server for the purpose of moving files. I could use nfs but it is not very secure (although I am on a private LAN and the risks are minimal). I can connect using nautilus but although the mount shows up on the desktop (Ubuntu 10.04) is not available to gnome-commander which is my preferred file mover. I could use Samba but that is such a Windoze thing :cry:

Ken

Wim Sturkenboom 07-02-2011 12:45 AM

There are two ways that you can do this (as far as I know).

You can setup a ftp server with virtual users; that's the way I'm not familiar with. And you can setup a ftp server with normal users and don't allow login using a shell by setting the shell to /bin/false (or something like that; check your system). If the latter option still allows ssh access (I don't think it will but I'm not sure), you can block users in the sshd configuration).

Configure the ftp server to use ftps for secure transfers.

taylorkh 07-02-2011 08:44 AM

Thanks Wim Sturkenboom,

I set the shell to /bin/false and my dummy account cannot connect over ssh as expected. It also cannot connect by ssh or sftp or whatever gnome commander uses for its connection. So I guess I am on to plan B or C or perhaps I will explore Secure NFS which I think is related to Kerberos which I also need to explore.

Ken

unSpawn 07-02-2011 09:11 AM

See if rssh or scponly work for you?

anomie 07-02-2011 09:29 AM

@taylorkh: Is this question about CentOS 5 on the server side? (I saw an Ubuntu reference, but you appeared to be talking about your desktop.) If CentOS 5, this is an easy enough problem to solve. Read the full instructions here:
http://www.linuxquestions.org/questi...on-rhel5-3495/

Wim Sturkenboom 07-02-2011 10:19 AM

Quote:

Originally Posted by taylorkh (Post 4402426)
Thanks Wim Sturkenboom,

I set the shell to /bin/false and my dummy account cannot connect over ssh as expected. It also cannot connect by ssh or sftp or whatever gnome commander uses for its connection. So I guess I am on to plan B or C or perhaps I will explore Secure NFS which I think is related to Kerberos which I also need to explore.

Ken

With the solution that I mention, I was talking about a ftp server and ftps (not sftp). But other solutions might be better.

taylorkh 07-02-2011 12:05 PM

Thanks anomie. At the moment I am Ubuntu 10.04 on all machines. I may go to CentOS when I finally get tired of Ubuntu making things easy :rolleyes:

Ken

flamelord 07-02-2011 12:37 PM

if your concern is having a password in plain text, I would recommend using a key instead, (which is more secure anyway). See https://help.ubuntu.com/community/SSH/OpenSSH/Keys. Then you should be able to use sftp without having to use, or store a password.

taylorkh 07-02-2011 01:28 PM

Thanks as always unSpawn for answering the question! The products you mention look like they should do what I asked for. However, I am afraid my question was avoiding the root cause (pardon the pun) of my issue. The issue is that gnome-commander, my favorite file manager interface, saves passwords for remote connections in plain text in ~/gnome-commander/connections. If I try the "use gnome keyring" option in gnome-commander it does not do so and crashes about 9 out of 10 times. I have setup a dummy account with few privileges which I can use to connect to another machine. But that presents me with file permission issues. If I, ken, download a file on my low power consumption netbook and want to move it to my desktop PC I can connect as the dummy account and copy the file. However, the dummy account does not have write permissions to the file. The permissions created by ken are "-rw-r--r-- 1 ken ken" So unless I change my umask to 002 I cannot share write permission to the files in question. I believe I need to sit back and think this through a little more.

Thanks flamelord. That might be what I need. However, I am not sure how gnome-commander will interface with it. See the above paragraph. gnome-commander is the underlying cause of the issue. I have tried several other similar tools but despite its warts, gnome-commander is closest to what I want (although I just installed Krusader and it may have possibilities).

I think what I really need to do is to establish secure connections from the PC to the other machines (sort of like making an NFS mount) and then just access the mounted locations in gnome-commander and not worry about gnome-commander doing the connection. If your suggestion can do something like that it may solve the problem. I also have some information about using NFS over an ssh tunnel but I have not tried configuring such a thing yet.

Thanks all,

Ken

taylorkh 07-05-2011 07:49 AM

I have resolved the root (pardon the pun) cause of this fiasco. I have gotten gnome-commander to work with the Gnome Keyring and I can connect with my normal account and privileges. I do not need the dummy account. I am dummy enough :o

Ken


All times are GMT -5. The time now is 05:26 AM.