From owner-ssh@clinet.fi Fri May 18 04:14:14 2001 Received: from smtp1.clinet.fi (smtp1.clinet.fi [194.100.2.57]) by hutcs.cs.hut.fi (8.9.3/8.9.3) with ESMTP id EAA00386 for ; Fri, 18 May 2001 04:14:14 +0300 (EET DST) Received: from mail.clinet.fi (mail.clinet.fi [194.100.0.7]) by smtp1.clinet.fi (Postfix) with ESMTP id DE0FE2010C; Fri, 18 May 2001 04:14:07 +0300 (EEST) Received: (from majordom@localhost) by mail.clinet.fi (8.9.3/8.9.3) id DAA01170 for ssh-outgoing; Fri, 18 May 2001 03:52:50 +0300 Received: from cybercebu.com ([203.148.68.2]) by mail.clinet.fi (8.9.3/8.9.3) with ESMTP id DAA01155 for ; Fri, 18 May 2001 03:52:40 +0300 Received: from marlene.cybercebu.com (marlene.cybercebu.com [203.148.68.2]) by cybercebu.com (8.11.3/8.11.3) with ESMTP id f4I0rEm10865; Fri, 18 May 2001 08:53:15 +0800 Date: Fri, 18 May 2001 08:53:13 +0800 (PHT) From: "Julius C. Duque" To: Jesse Adelman Cc: ssh@clinet.fi Subject: Re: No shell access? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ssh@clinet.fi Precedence: bulk On Thu, 17 May 2001, Jesse Adelman wrote: > Hello, good SSH users and developers. I need to set up SSH such that users > can scp and sftp but NOT log in to a shell. I've attempted to set a shell as > /bin/, but that breaks SSH generally, including scp and sftp. > What is the best/preferred method for disabling shell access and allowing > scp and sftp to work? > > Systems used: RH Linux, Solaris 8 I also once had this problem. Here's how I solved it: Step 1) Get the latest source of GNU bash and compile it with --enable-restricted supplied as one of the options for configure. Install bash (usually, it will be installed on /usr/local/bin). Step 2) Create a shell script (in this example, I'll call it /usr/bin/newbash), chmod 755. The contents of this shell script is a two-liner: #!/usr/local/bin/bash /usr/local/bin/bash --restricted --rcfile /etc/newbash_profile Step 3) Create the newbash_profile mentioned above. Copy this to /etc. # Set the default system $PATH: PATH="$HOME/bin" PS1='\h:\w\$ ' export PATH PS1 # Default umask. A umask of 022 prevents new files from # being created, group and world writable. umask 022 Step 4) Create subdirectory "bin" just under the home directory of user, as mentioned in the PATH in Step 3. Step 5) Put in bin all executables that will be needed by user (except bash itself! If you let the user execute bash, he can now "break out" of his restrictions, e.g. user can now cd to other dirs!) If you only need scp, just copy this to the user's $HOME/bin. Also, throw in "ls" (so that your user knows what's in his directory!) Step 6) Change the "shell" field of the user in /etc/passwd to /usr/bin/newbash Example: old entry: user:x:106:700:First M. Last,TestUser,,555-9222:/home/user:/bin/bash new entry: user:x:106:700:First M. Last,TestUser,,555-9222:/home/user:/usr/bin/newbash Cheers! -------------------- "Security begins as a state of mind." -- NSA Manual