scp without permitting shell access, possible?
Martin Forssen
maf at appgate.com
Fri Dec 15 13:35:51 EST 2000
On 14 Dec, mouring at etoh.eviladmin.org wrote:
>
> On Thu, 14 Dec 2000, Jos Backus wrote:
>
>> [My apologies if this question is deemed inappropriate for this list.]
>>
>> Using OpenSSH, is it possible for a program/script to copy files with
>> known filenames from a remote server (running sshd), without allowing
>> (interactive) ssh access to that server? I.e. ``ssh server ls'' or
>> ``ssh server'' should not be possible (for security reasons), but
>> ``scp server:file .'' should.
>>
> I don't see how you can do such a thing without changing how scp
> works. (Which is scp would no longer spawn the user's interactive
> shell, but either spawn /bin/sh w/ no .*rc files.)
>
> I'd have to test it.. but you may be able to pull it off with
> sftp-server. But I am not up on my 'subsystem' definations of SSH2.
You could write a custom login-shell for the user on the server which
only allows execution of the scp program.
/MaF
More information about the openssh-unix-dev
mailing list