scponly(8) | System Manager's Manual | scponly(8) |
NAME
scponly
SYNOPSIS
scponly |
— limited shell for secure file transfers
DESCRIPTION
scponly
is an alternative
"shell" (of sorts) for system administrators who would like to
provide access to remote users to both read and write local files without
providing any remote execution privileges. Functionally, it is best
described as a wrapper to the trusted suite of ssh applications.
A typical usage of scponly
is in creating
a semi-public account not unlike the concept of anonymous login for ftp.
This allows an administrator to share files in the same way an anonymous ftp
setup would, only employing all the protection that ssh provides. This is
especially significant if you consider that ftp authentications traverse
public networks in a plaintext format.
Instead of just a single anonymous user,
scponly
supports configuring potentially many users,
each of which could be set up to provide access to distinct directory trees.
Aside from the installation details, each of these users would have their
default shell in /etc/passwd set to "/usr/local/bin/scponly" (or
wherever you choose to install it). This would mean users with this shell
can neither login interactively or execute commands remotely. They can
however, scp files in and out, governed by the usual Unixish file
permissions.
FEATURES
- Logging:
scponly
logs time, client IP address, username, and the actual request to syslog. - chroot:
scponly
can chroot to the user's home directory (or any other directory the user has permissions for), disallowing access to the rest of the filesystem. - sftp compatibility: My testing of sftp against an
scponly
user worked great. This is probably the cleanest and most usable way for anscponly
user to access files. - Security checks: root login is disallowed (though root should never be
configured to be using
scponly
as the default shell.) - WinSCP 2.0 compatibility:
scponly
can be compiled in WinSCP compatibility mode that will permit a "semi-interactive" shell that WinSCP can use. - gftp compatibility:
scponly
is compatible with gftp if you set "use ssh2 sftp subsys" in your gftp options.
scponly
doesn't do anything to manage
read/write permissions. The ssh applications already do that just fine. If
you use scponly
, be aware that good old Unix-style
file permissions are still doing the work of protecting your files.
NOTES
- As recent as June 26, 2002, vulnerabilities have been discovered in
OpenSSH. There is also a SSH1 protocol vulnerability. If you're going to
use
scponly
, be aware it is no more secure than the ssh installation it runs on. - I've since discovered that ssh.com's commercial ssh offering supports BOTH
"dummy users" as well as functionality paralleling
scponly
. I have not been able to find any notes on these features, but I did read that they exist. I will make a point to include more information later. It appears that OpenSSH does not yet support these features. At this time, I have no plans to end-of-lifescponly
, though ultimately, I recognize thatscponly
should eventually become just a feature of whichever sshd you may run.
FILES
- /usr/local/bin/scponly
- The default location for the shell itself.
- /usr/local/sbin/scponlyc
- The default location for the chrooted version of
scponly
- /etc/shells
- To be a proper shell, it has to be included here.
SEE ALSO
AUTHORS
Joe Boyle ⟨joe@sublimation.org⟩.
LEGALITIES
Copyright (C) 2001, 2002, 2003
Joe Boyle ⟨joe@sublimation.org⟩.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
BUGS
Versions prior to 2.4 have a vulnerability wherein the .ssh/environment file can be used to override $PATH and $LD_LIBRARY_PATH vars, compromising the shell.
Sept 03, 2002 |