SSH ok, SFTP ok , SCP broken... custom shell

Darren Tucker dtucker at
Fri Dec 9 10:59:49 EST 2005

Graeme Tattersall wrote:
> Hi,
> Can anyone explain why a shell-wrapper script of the following form breaks scp?
> Can this kind of thing be re-worked to fix the breakage?
> The wrapper does not produce output, and checks a shell.allow file to see if
> access to a real shell such as bash should be granted.
> ------------
> eg :
> #!/bin/sh
> if [ grep $LOGNAME /etc/shell.allow 2>&1 > /dev/null ]

You don't need the "[]" brackets, they're the equivalent of the "test" 

Also, you should match against a complete line not a substring.  If user 
"foobar" is in shell.allow, then this will permit users "foo" and "bar" 
as well.  You can do this with egrep and regex anchors, eg

	if egrep "^$LOGNAME$" /etc/shell.allow

> then
>    exec -a - /bin/bash $*

This is your problem: you're not preserving the argument quoting.  Try:
	exec -a - /bin/bash "$@"

> else
>    echo "Access Denied - Please request access"
> fi

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list