[scponly] scponly and arbitrary commands
Kaleb Pederson
kaleb.pederson at gmail.com
Tue Sep 7 19:49:05 EDT 2010
On Tuesday, September 07, 2010 04:19:25 pm Alan Evans wrote:
> Perhaps then you can suggest a way around our current problem. I need to
> allow select shared user accounts to use scp/sftp only via SSH but, other
> named users to be able to sudo and get a shell for that shared user.
>
> ssh shared at host should fail
> sftp shared at host should succeed
> scp shared at host:file ./file should succeed
>
> ssh alan at host
> #then
> [alan at host ~]$ sudo -u shared -s should succeed
> [shared at host ~]$
>
> As of now the sudo -u command gives me a /usr/bin/scponly shell and since
> *I* am not an SFTP client I am not getting very far... :)
sudo look as the SHELL environment variable to determine which shell should be executed, so you should be able to set it before running sudo. For example:
SHELL=/bin/sh sudo -u shared -s
This should allow you to execute a shell that's distinct from the user's default login shell.
I think this is your best option. If you can chroot the users who ssh in directly then you can guarantee that they don't have access to the shell. Your other users, however, could ssh in and then specify the shell that exists outside the scponly chroot.
> I have tried some /etc/profile and /etc/profile.d/ magic but am not having
> any success, nor are those ideal solutions.
ssh allows you to specify a command that is executed when users log in with specific ssh keys. For example:
command="/bin/cmd" ssh_dsa AA***base64encodedKey*** user at host
However, this is a command that is passed to the default shell and wouldn't be useful for the sudo case. However, if your shell were /bin/sh you could specify scponly for the users who needed it, but this would be *much* less secure.
--
Kaleb Pederson
Blog - http://kalebpederson.com
Twitter - http://twitter.com/kalebpederson
> We are using RHEL4 and RHEL5 so the niceness of Match blocks in sshd_config
> are not an option.
>
> I am stumped at the moment. Any help or thoughts would be appreciated.
>
> Regards,
> -Alan
>
More information about the scponly
mailing list