LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-07-2002, 07:11 AM   #1
macone
LQ Newbie
 
Registered: Aug 2002
Posts: 15

Rep: Reputation: 0
Question using sftp without having a Shell on serverside


Hello guys,

what I want to do:

User XY should be able to access the server FTPSERVER only via sftp . For this reason user XY has no shell (/bin/false in /etc/passwd). Is this possible and if yes, how does it work?

Thank you in advance!
 
Old 08-08-2002, 07:38 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
http://www.snailbook.com/faq/restricted-scp.auto.html
 
Old 08-09-2002, 01:03 AM   #3
macone
LQ Newbie
 
Registered: Aug 2002
Posts: 15

Original Poster
Rep: Reputation: 0
Thank you for the tip. That's at least an approach:

Quote:
Originally posted by unSpawn
http://www.snailbook.com/faq/restricted-scp.auto.html
But the problem is, I've got no ssh-dummy-shell. It's not part of the HP-UX ssh distribution that I have to use mandatory. I don't get along with the description of the other way described on this faq-site.

Best regards

MacOne
 
Old 08-09-2002, 06:31 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Bwt, we didn't establish if you're using OpenSSH or SSH, the difference being if you're using SSH (ssh*.com/ssh*.fi) you prolly are entitled to Commercial Support.

Ok, by the "other way" you prolly mean the auth_key thing. IMO, how slim are chances that if you "chattered +iu" the whole user env, except for the dropzone, that they will be able to modify/add to the shell's env, or drop binaries in that allow execution?

I've got *no* expertise on HP-UX, so you'll have to work it out yourself, but I found this source in an NG. I modified it in the sense that I added comments in as a warning. Maybe this will help, else, using HP-UX, your prolly entitiled for Commercial Support there as well.

here it goes, HTH somehow:

Code:
============================================
/*
 * $Id: scp2shell.c,v 1.1 2000/08/24 06:09:12 dean2 Exp $
 *
 * Copyright by the Board of Trustees of the University of South
 * Carolina.  This software may be distributed and used under the
 * terms of the Gnu Public License (GPL) or the Perl Artistic License,
 * whichever you prefer.
 *
 * N. Dean Pentcheff  <dean2@biol.sc.edu>
 * Biological Sciences, University of South Carolina, Columbia SC 29208 USA
 *
 * A substitute login shell that allows only ssh2 file transfers, but
 * no shell commands.  Designed to allow for a black-box Unix/Linux
 * server that permits file storage and transfer, but does not permit
 * Unix-style shell logins.  Handles both scp and sftp.
 *
 * Works by recognizing the particular arguments that ssh2 uses for
 * scp and sftp and appropriately fires off sftp-server.  Any other
 * arguments (or a lack of them) cause an immediate exit.  This all
 * assumes a standard installation of ssh2 on the host Unix computer.
 */

/* Full path to the sftp-server binary (installed as part of ssh2) */
#define SFTPSERVERPATH "/usr/local/bin/sftp-server"

#include <string.h>
#include <unistd.h>

int
main(int argc, char **argv) {
    if (--argc == 2                 &&
        strcmp("-c", *++argv) == 0  &&
        strcmp("sftp-server", *++argv) == 0) {
        execl(SFTPSERVERPATH, SFTPSERVERPATH, NULL);
    } exit(0);
}

/*
 * $Log: scp2shell.c,v $
 * Revision 1.1  2000/08/24 06:09:12  dean2
 * Initial revision
 *
 */

/*
 *This is a good approach.  Since sshd2 uses the target account's login
 *shell when running anything on the user's behalf, restricting what the
 *shell can do is the most foolproof method of restricting the account's
 *capabilities.  Placing a forced command in the authorization file won't
 *help, for instance, because that too will be run by the shell, which will
 *only run sftp-server.
 *
 *One thing to keep in mind is that your users will still be able to
 *manipulate files in ~/.ssh2.  They can't circumvent the sftp restriction,
 *but they can open up their account to others, etc.  This may or may not be
 *what you intend.  You can use UserConfigDirectory to change the location
 *of the per-account server config files if you want.
 *
 *By the way, you have essentially re-written ssh-dummy-shell, which comes
 *with SSH2.  ssh-dummy-shell provides a couple more features; see the man
 *page.
 */
============================================
 
Old 08-09-2002, 07:17 AM   #5
macone
LQ Newbie
 
Registered: Aug 2002
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by unSpawn
Bwt, we didn't establish if you're using OpenSSH or SSH, the difference being if you're using SSH (ssh*.com/ssh*.fi) you prolly are entitled to Commercial Support.
The version that I use is neither OpenSSH nor commercial SSH. It is a customised version of OpenSSH by HP and it's freeware. Only registered customers are getting support and too bad - I'm not.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Allowing sftp without giving a shell koningshoed Linux - Security 8 12-14-2005 08:23 PM
How do I use sftp to upload my web site? (no sftp tar command) johnMG Linux - Networking 6 06-21-2005 09:14 PM
mp3 jukebox server - serverside not streaming hamish Linux - Networking 4 11-28-2004 12:54 PM
sftp over shell script naughtymutt Linux - General 1 08-20-2004 05:56 AM
Files truncated by sftp/sftp-server at 65kb gato Linux - Networking 1 12-18-2003 10:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration