scp without permitting shell access, possible?

[Jason Stone]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> [My apologies if this question is deemed inappropriate for this list.]

I think it kind-of is, but that's okay.


> Using OpenSSH, is it possible for a program/script to copy files with
> known filenames from a remote server (running sshd), without allowing
> (interactive) ssh access to that server? I.e. ``ssh server ls'' or
> ``ssh server'' should not be possible (for security reasons), but
> ``scp server:file .'' should.

The way I usually do this is with keys and command squashing.
"man sshd" for the details, but basically, you set up keys like normal
("man ssh-keygen") but in the authorized_keys file, you preface the key
you want to restrict with restriction commands.  an example:

Say your rsa public key looks like:

1024 35 41249862493867123982176...lots of digits...11243590723 user at host

You would tack onto the front command="scp -f <file>" - so the line in
your authorized_keys file would look like:

command="scp -f <file>" 1024 35 41249862...lots of digits...723 user at host

all on one line.

Now, whenever someone logs in with this key, no matter what command they
try to run, the server will only (and always) run that scp.


And you can add other restrictions too - for example, you should probablly
prevent port forwarding to the machine, so the restriction string (all the
text before the "1024 35 1212541512342...") might look like:

command="scp -f <file>",no-port-forwarding,no-X11-forwarding,no-pty


 -Jason

 ---------------------------
 If the Revolution comes to grief, it will be because you and those you
 lead have become alarmed at your own brutality.         --John Gardner




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE6OYPsswXMWWtptckRAoTTAJ4/vVoQ1IlflclcboPI8IaVFw01/gCgvuiR
ZIzAHBOGyt+ekKPR5jEqWgo=
=QsrM
-----END PGP SIGNATURE-----