scp without permitting shell access, possible?

Fri Dec 15 14:03:48 EST 2000

Instead of setting command to 'scp -f file' you need to write a simple
wrapper script and set command to that script.  Then that script can parse
thru the environment variable "SSH_ORIGIANL_COMMAND".  If the command is
'scp -f ' and one of the allowed files then it exec's that command,
otherwise it prints an error, (possibly logs or mails the admin of the
attempted command) and exits.
  -Lee

---begin quoted text---
> Delivered-To: openssh-unix-dev-list-93873 at mindrot.org
> Date: Thu, 14 Dec 2000 18:45:29 -0800
> From: Jos Backus <josb at cncdsl.com>
> To: openssh-unix-dev at mindrot.org
> Subject: Re: scp without permitting shell access, possible?
> Reply-To: Jos Backus <josb at cncdsl.com>
> User-Agent: Mutt/1.2.5i
> 
> On Thu, Dec 14, 2000 at 06:37:07PM -0800, Jason Stone wrote:
> > command="scp -f <file>",no-port-forwarding,no-X11-forwarding,no-pty
> 
> I have thought of that, and am in fact using it for another application
> already.
> 
> The problem is that <file> varies. E.g. I fetch a well-known file(name) which,
> among others, contains the list of other files I need to fetch. It's not
> feasible to have separate identities for each file.
> 
> Thanks,
> -- 
> Jos Backus                 _/  _/_/_/        "Modularity is not a hack."
>                           _/  _/   _/                -- D. J. Bernstein
>                          _/  _/_/_/             
>                     _/  _/  _/    _/
> josb at cncdsl.com     _/_/   _/_/_/            use Std::Disclaimer;
---end quoted text---

-- 
    Lee Eakin - leakin at ti.com - Naming Services, Texas Instruments   -o)
                [ permanent e-mail: Lee at Eakin.Org ]                  /\\
                                                                    _\_v
Farnsdick's corollary:
  After things have gone from bad to worse,
the cycle will repeat itself.