OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: I have a question about ssh and scp.
From: WiltonDaedilus
Date: Fri Dec 22 2000 - 19:53:00 CST

Is there a way of restricting them without using the rsa key? I'm using
courier-imap and ssl only. I don't want to have to give a separate login for
email. These are windows clients.

-----Original Message-----
From: owner-techopenbsd.org [mailto:owner-techopenbsd.org]On Behalf Of
Erik Fichtner
Sent: Friday, December 22, 2000 4:31 PM
To: Ian Darwin
Cc: WiltonDaedilus; techopenbsd.org
Subject: Re: I have a question about ssh and scp.

On Fri, Dec 22, 2000 at 06:30:23PM -0500, Ian Darwin wrote:
> On Fri, Dec 22, 2000 at 12:29:32AM -0800, WiltonDaedilus wrote:
> > I'm trying to run a small web server. I don't like ftp so I don't run
it.
> > Instead I prefer that people use scp. The question is: Is there a way
of
> > allowing people to scp there website files back and forth while
preventing
> > shell access?

Use rksh for their shell.

mkdir /usr/local/rbin ; ln -s /usr/local/bin/scp /usr/local/rbin/scp

Use RSA keys for user authentication. disable their password.

Make their home dir structure owned by root and not writable (except for
the parts you want them to write, which probably should be in a seperate
hierarchy)

put things like
"environment="PATH=/usr/local/rbin",no-pty,no-X11-forwarding,no-agent-forwar
ding" at the beginning of their RSA key. see sshd man page if
you don't understand this.

Now they can only execute commands that exist in /usr/local/rbin.

Enjoy. 

--
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900