OpenSSH anything like 'internal-sftp' but for SCP?

ssh sftp scp chroot jail
20,000

Solution 1

Take a look at rssh which is an alternative shell that allows limited access to a system.

rssh is a restricted shell for providing limited access to a host via ssh(1), allowing a user whose shell is configured to rssh to use one or more of the command(s) scp(1), sftp(1) cvs(1), rdist(1), and rsync(1), and only those commands.

You can configure which commands can be used on a per-user or system wide basis using the rssh.conf file

Alternatively you can use scponly to do what you want. It acts as a wrapper to the ssh suite and allows file transfer but not shell access.

Solution 2

I'm afraid there is nothing similarly easy or reliable with OpenSSH, since as you observed there is a built-in SFTP server, but no built-in SCP server.

A warning: the suggestion by Vince Berk is bad for a number of reasons:

  1. The shell's behavior with regard to startup files can be influenced by environment variables, which SSH can remotely set depending on server configuration.
  2. The user can just run ssh /bin/bash and get a shell. It won't have a tty and so will be inconvenient to use, but so what... not to mention all the other programs he can run that you presumably don't want him to.
  3. Changing the permissions of .bash_profile does little good if the user can just do "ssh host rm -f .bash_profile"; nothing was mentioned about the home directory permissions.

... and so on. This sort of approach is just way too fragile.

Solution 3

Do you need to do this through ssh?

IF so you can try setting their shell to:

/usr/libexec/openssh/sftp-server

And make sure you add the above into /etc/shells

If you want to decouple from using built in accounts, you can setup proftpd

I setup a secure SFTP using proftpd. compiled proftpd like so:

./configure --prefix=/usr --sysconfdir=/etc --with-modules=mod_sftp

Can use this article below, and some more on google on how to set it up:

http://tutorialgenius.blogspot.com/2012/02/linux-installing-and-configuring.html

Share:
20,000

Related videos on Youtube

brianjcohen
Author by

brianjcohen

Updated on September 18, 2022

Comments

  • brianjcohen
    brianjcohen almost 2 years

    I'm running Debian stable and I'm looking to establish the following environment for users in my 'sftponly' group:

    • jailed
    • can transfer with SFTP
    • can transfer with SCP
    • cannot login interactively with SSH

    From my experimentation and research, it seems that the following stanza in sshd_config gets me 90% there:

    Match group sftponly
ChrootDirectory /sftp/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

    This gives me jailed SFTP and no SSH, which is good. But it also disables SCP, which is less than ideal because quite a few clients are legacy, scripted processes that use SCP rather than SFTP (the server we're replacing supported both protocols), and since those clients are not under our control and easily modified, it's likely not practical to disable SCP altogether.

    It makes sense that this configuration would disable SCP, as incoming SCP connections cause sshd to spawn an `scp' process via the user's login shell, as that user. It seems that the same would normally be true of SFTP, were it not for the special 'internal-sftp' handler.

    So, I suppose my question is: is there a way to achieve the same effect as 'internal-sftp' but for SCP, without resorting to the use of third-party tools like scponly and rssh? The really nice thing about 'internal-sftp' is that it doesn't require setting up a jail with support files, or dealing with potentially-exploitable third party setuid binaries (rssh, in particular, has a history of exploits).

    • Jenny D
      Jenny D almost 12 years
      Are the clients connecting using an ssh key file, or are they using passwords? If it's a keyfile, it's possible to restrict what they can do.
    • brianjcohen
      brianjcohen almost 12 years
      They are connecting with passwords.
  • brianjcohen
    brianjcohen almost 12 years
    This approach does not seem to take the requirement for the jail into account.
  • Vince Berk
    Vince Berk almost 12 years
    Yes, unfortunately you would have to create a manual chroot environment for the 'scp' side, overlapping with the chroot directory given in sshd_config, and perform the above trick for each user you want to restrict. The 'scp' does not work with the internal sftp server.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Up-to-date alternatives of rssh or scponly
Restricting an SSH/SCP/SFTP user to a directory
Getting "Command not found" when using pscp command
Why is rsync 2x faster than sftp?
Limit SFTP user access to specified directory
How can I chroot sftp-only SSH users into their homes?
Chrooted SFTP with full access to SSH stopped working (Debian)
SSH SFTP: transfer local directory to remote server
What's the difference between SCP and SFTP?
SFTP - couldnt read packet: connection reset py peer