LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-23-2010, 08:42 AM   #1
malickhat
Member
 
Registered: Jun 2009
Posts: 106

Rep: Reputation: 15
scp restriction to particular folder


This is my problem,i need to give some user from other machine to my machine where they can get my data,but i want to give them only one dir where they can download file and i'm trying to use scp to this solution
Code:
[root@malick ~]# ssh -V
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
 
Old 09-23-2010, 09:17 AM   #2
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,362

Rep: Reputation: 135Reputation: 135
Quote:
Originally Posted by malickhat View Post
This is my problem,i need to give some user from other machine to my machine where they can get my data,but i want to give them only one dir where they can download file and i'm trying to use scp to this solution
Code:
[root@malick ~]# ssh -V
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
SCP uses SSH,and by SSH an user have full control over a terminal as a local user,so have you given him the root level access or any user level access ?

If you are giving root level access to other by ssh, then it's equivalent to root level access in local system.

So give the remote user an userlevel access permission. Then you can apply restriction on different folder by restricting permission.

Last edited by divyashree; 09-23-2010 at 09:26 AM.
 
Old 09-23-2010, 09:27 AM   #3
meandsushil
Member
 
Registered: Feb 2010
Posts: 143

Rep: Reputation: 14
How to block others from ssh to my system as root?
 
Old 09-23-2010, 09:45 AM   #4
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,362

Rep: Reputation: 135Reputation: 135
Quote:
Originally Posted by meandsushil View Post
How to block others from ssh to my system as root?
Simple answer, good password , which will be difficult for others to ssh as root.

Just create an user in your system in the name who want to access,

or ask to access ssh as a user

Code:
#ssh user@<IP of your system>
or use the same format while doing scp.
 
Old 09-23-2010, 09:52 AM   #5
malickhat
Member
 
Registered: Jun 2009
Posts: 106

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by divyashree View Post
SCP uses SSH,and by SSH an user have full control over a terminal as a local user,so have you given him the root level access or any user level access ?
i've created a particular user for him not a roor level access

Code:
So give the remote user an userlevel access permission. Then you can apply restriction on different folder by restricting permission.
i've completely blocked from logging in to my system by etc host and deny.but by having a non root access .he can't download other's home dir or so,but he can download /etc easily,
so my point is i want to give him only one folder other than that nothing
 
Old 09-23-2010, 03:15 PM   #6
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,362

Rep: Reputation: 135Reputation: 135
all the /etc files are owned by root. He can get things but he neither can edit any of the file or put anything there in /etc.

Do you keep data in /etc ? It's only for system configuration file.
 
Old 09-23-2010, 03:23 PM   #7
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
Maybe this howto on chroot jailing ssh users would help.
http://www.howtoforge.com/chrooted_ssh_howto_debian

Last edited by jschiwal; 09-23-2010 at 03:24 PM.
 
Old 09-24-2010, 12:19 AM   #8
malickhat
Member
 
Registered: Jun 2009
Posts: 106

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by divyashree View Post
all the /etc files are owned by root. He can get things but he neither can edit any of the file or put anything there in /etc.
You right he can't put any thing,but he can download all my service related configuration files right ,i really don't want to do that

Quote:
Do you keep data in /etc ? It's only for system configuration file.
i don't keep the data inside /etc , but i feel my sshd config file is also my data
 
Old 09-24-2010, 12:22 AM   #9
malickhat
Member
 
Registered: Jun 2009
Posts: 106

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jschiwal View Post
Maybe this howto on chroot jailing ssh users would help.
http://www.howtoforge.com/chrooted_ssh_howto_debian
Really helped,but why can't their be any inbuilt configuration setup in ssh for this solution ,is that a bug or what
 
Old 09-26-2010, 06:25 PM   #10
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
Because you are using the shell or scp, certain files must be available to support the session. The jail needs certain directories copied for the users commands to work.

See the manpage for sshd_config. The last paragraph in the ChrootDirectory section explains that you can do things easier if you only allow sftp, but not ssh or scp.

Code:
In the special case when only sftp is used, not ssh nor scp, it is possible to use ChrootDirectory %h or ChrootDirectory /some/path/%u. The file system
             containing this directory must be mounted with options nodev and either nosuid or noexec. The owner of the directory should be the user. The ownership
             of the other components of the path must fulfill the usual conditions. No aditional files are required to be present in the directory.
If you only want users to simply save or download files, you might consider using sftp instead of scp.

Last edited by jschiwal; 10-23-2010 at 07:33 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
restriction on commands hihiren Linux - Newbie 2 04-14-2009 07:34 AM
scp does not work and gives the following error message: scp: FATAL: Executing ssh1 i akay Linux - Networking 16 09-29-2008 12:41 AM
Postfix restriction karanjeet Linux - Server 3 08-31-2008 11:02 PM
Folder size restriction crashsystems Linux - General 1 07-06-2006 06:43 PM
ip restriction ggramajo Linux - Networking 0 11-30-2001 08:03 AM


All times are GMT -5. The time now is 10:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration