scp without permitting shell access, possible?

Martin Forssen maf at appgate.com
Fri Dec 15 13:35:51 EST 2000


On 14 Dec, mouring at etoh.eviladmin.org wrote:
> 
> On Thu, 14 Dec 2000, Jos Backus wrote:
> 
>> [My apologies if this question is deemed inappropriate for this list.]
>> 
>> Using OpenSSH, is it possible for a program/script to copy files with
>> known filenames from a remote server (running sshd), without allowing
>> (interactive) ssh access to that server? I.e. ``ssh server ls'' or
>> ``ssh server'' should not be possible (for security reasons), but
>> ``scp server:file .'' should.
>> 
> I don't see how you can do such a thing without changing how scp
> works. (Which is scp would no longer spawn the user's interactive
> shell, but either spawn /bin/sh w/ no .*rc files.)
> 
> I'd have to test it.. but you may be able to pull it off with
> sftp-server.  But I am not up on my 'subsystem' definations of SSH2.

You could write a custom login-shell for the user on the server which
only allows execution of the scp program.

	/MaF






More information about the openssh-unix-dev mailing list