NAME
scponly - limited shell for secure file transfers
SYNOPSIS
scponly - limited shell for secure file transfers
DESCRIPTION
scponly is an alternative "shell" (of sorts) for system administrators
who would like to provide access to remote users to both read and write
local files without providing any remote execution privileges.
Functionally, it is best described as a wrapper to the trusted suite of
ssh applications.
(Note: scponlyc(8) is the chrooted version of scponly.)
A typical usage of scponly is in creating a semi-public account not
unlike the concept of anonymous login for ftp. This allows an
administrator to share files in the same way an anonymous ftp setup
would, only employing all the protection that ssh provides. This is
especially significant if you consider that ftp authentications traverse
public networks in a plaintext format.
Instead of just a single anonymous user, scponly supports configuring
potentially many users, each of which could could be set up to provide
access to distinct directory trees. Aside from the installation details,
each of these users would have their default shell in /etc/passwd set to
"/usr/bin/scponly". This would mean users with this shell can neither
login interactively or execute commands remotely. They can however, scp
files in and out, governed by the usual Unixish file permissions.
FEATURES
· Logging: scponly logs time, client IP, username, and the actual
request to syslog.
· chroot: scponly can chroot to the user’s home directory (or any other
directory the user has permissions for), disallowing access to the
rest of the filesystem. (Note: scponlyc(8) describes this
functionality.)
· sftp compatibility: My testing of sftp against an scponly user
worked great. This is probably the cleanest and most usable way for
an scponly user to access files.
· Security checks: root login is disallowed (though root should never
be configured to be using scponly as the default shell.)
· WinSCP 2.0 compatibility. scponly can be compiled in WinSCP
compatibility mode (it will by default) that will permit a "semi-
interactive" shell that WinSCP can use.
· gftp compatibility: scponly is compatible with gftp if you set "use
ssh2 sftp subsys" in your gftp options.
scponly doesn’t do anything to manage read/write permissions. The ssh
applications already do that just fine. If you use scponly, be aware
that good old Unix-style file permissions are still doing the work of
protecting your files.
NOTES
· As recent as June 26, 2002, vulnerabilities have been discovered in
OpenSSH. There is also a SSH1 protocol vulnerability. If you’re
going to use scponly , be aware it is no more secure than the ssh
installation it runs on.
· I’ve since discovered that ssh.com’s commercial ssh offering supports
BOTH "dummy users" as well as functionality paralleling scponly. I
have not been able to find any notes on these features, but I did
read that they exist. I will make a point to include more
information later. It appears that OpenSSH does not yet support
these features. At this time, I have no plans to end-of-life
scponly, though ultimately, I recognize that scponly should
eventually become just a feature of whichever sshd you may run.
FILES
/usr/bin/scponly The default location for the shell
itself.
/usr/sbin/scponlyc The default location for the chrooted
version of scponly
/etc/shells To be a proper shell, it has to be
included here.
SEE ALSO
ssh(1), scp(1), sftp(1), shells(5), sshd(8).
AUTHORS
Joe Boyle 〈joe@sublimation.org〉.
LEGALITIES
Copyright (C) 2001, 2002, 2003 Joe Boyle 〈joe@sublimation.org〉.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ‘‘AS IS’’ AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
BUGS
Versions prior to 2.4 have a vulnerability wherein the .ssh/environment
file can be used to override $PATH and $LD_LIBRARY_PATH vars,
compromising the shell.