To limit ssh commands while enabling scp

Jerry Mcguire · 06-07-2012, 08:49 PM

Hi all,

I have two linux machines, one as server and one as client. The client needs to invoke commands on the server through ssh. e.g

Code:

user@client$  ssh oper@server cat /etc/passwd

user@client$  scp myfile oper@server:/myfile

SSH authentication is already done by key exchange, so the above are working as expected so far.

Then the server implements more security measures, to limit the commands through ssh:

Code:

oper@server$ cat ~/.ssh/authorized_keys 
command="exec sh ~/.ssh/limited-commands.sh" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAn9keRyErfNWyIiScLWvVroO .... ....

oper@server$ cat ~/.ssh/limited-commands.sh
#!/bin/sh
arg1=${SSH_ORIGINAL_COMMAND%% *}
case $arg1 in
cat )
	exec $SSH_ORIGINAL_COMMAND
	;;
esac

Now ssh with cat still works, but scp doesn't. Is there any way to make both work?

Thank you.

acid_kewpie · 06-08-2012, 02:03 AM

Well I'd never heard of SSH_ORIGINAL_COMMAND, if I only learn one thing today.... ace!

So it looks like you just need to permit the execution of scp on the other end of the connection too, just like any other command being executed under this restriction:

http://www.linuxquestions.org/questi...ommand-686646/

Jerry Mcguire · 06-13-2012, 01:47 AM

Thank you. But the suggestions in the other post won't work.

Unlike "ssh", the command "scp" makes sense only in the client's context.

Code:

scp ~/file oper@server:~/

may run correctly in the client side because 'file' is on the client's home. Running the same in the server's prompt is totally wrong.

"ssh oper@server command arg arg ..." instructs the 'server' to execute some command by the 'oper' a/c; while
"scp file oper@server

ath" is a different thing.

I guess this remains unsolved...

acid_kewpie · 06-13-2012, 02:06 AM

As I understood it, scp runs on both sides in order to allow the transfer to work, between the two points. You can't scp anything to a remote location with scp installed remotely, i don't think. I just tested it to see if I could see scp running on a remote server when scping to it though, and I can't so maybe I'm totally wrong about that. ho hum.