Professional Web Applications Themes

sFTP nologin - FreeBSD

Hi all, Going blind again. Is there a quick - secure way to allow the sshd sFTP subsystem to allows sftp connections without allowing shell accounts? If so, I will keep searching but I have not found it yet. -Grant...

  1. #1

    Default sFTP nologin

    Hi all,

    Going blind again.

    Is there a quick - secure way to allow the sshd sFTP subsystem to allows
    sftp connections without allowing shell accounts?

    If so, I will keep searching but I have not found it yet.

    -Grant


    Grant Guest

  2. #2

    Default Re: sFTP nologin

    On Fri, 2005-03-25 at 09:19 -0500, Grant Peel wrote: 

    I can't answer this directly - I did look for the same thing but
    couldn't see how to do it (so I'd be really interested if you finda
    way). I got the feeling that it needs a shell by definition.

    But when I was looking, I noticed that security/openssh-portable has the
    make option:

    WITH_OPENSSH_CHROOT

    which doesn't seem to exist for security/openssh and maybe tightens
    things up a bit.

    Closer to what you want might be would be rssh, but I've never tried
    using it so can't comment further:

    #less /usr/ports/shells/rssh/pkg-descr
    rssh is a Restricted Secure SHell that allow only the use of sftp or
    scp.
    It could be use when you need an account (and a valid shell) in order to
    execute sftp or scp but when you don't want to give the possibility to
    log
    in to this user.

    WWW: http://www.pizzashack.org/rssh/index.shtml

    - enigmatyc


    HTH

    Peter.

    Peter Guest

  3. #3

    Default Re: sFTP nologin

    Grant Peel wrote: 

    Create the account and set its shell to /sbin/nologin. You can safely
    add that to /etc/shells: it does its name and just prints a terse
    message before booting the user if he tries to connect via vanilla SSH.

    Eric Guest

  4. #4

    Default Re: sFTP nologin

    On Fri, 2005-03-25 at 10:59 -0500, Eric McCoy wrote: 
    >
    > Create the account and set its shell to /sbin/nologin. You can safely
    > add that to /etc/shells: it does its name and just prints a terse
    > message before booting the user if he tries to connect via vanilla SSH.[/ref]

    Hmmm... I tried that myself before and it didn't work. I get:

    Received message too long 1416128883

    from sftp if I try to log in to an account with /sbin/nologin as the
    shell. That's why I suggested rssh to the OP.

    Peter.

    Peter Guest

  5. #5

    Default Re: sFTP nologin

    Yes, been trying that all morning. sbin/nologin kills the connection after
    it prints the message.

    i have been tring scponly it has been less that workable so far too.

    -GRant




    ----- Original Message -----
    From: "Eric McCoy" <org>
    To: "Grant Peel" <com>
    Cc: <org>
    Sent: Friday, March 25, 2005 10:59 AM
    Subject: Re: sFTP nologin

     
    >
    > Create the account and set its shell to /sbin/nologin. You can safely add
    > that to /etc/shells: it does its name and just prints a terse message
    > before booting the user if he tries to connect via vanilla SSH.
    >
    >[/ref]


    Grant Guest

  6. #6

    Default Re: sFTP nologin

    On Fri, 25 Mar 2005 11:11:51 -0500
    "Grant Peel" <com> wrote:
     

    you could set up a jail for that user (or group of users) and let them
    do regular ftp within localhost from the jail to your host-system,
    then they have a restricted shell and still can upload/download

    albi@scii.nl Guest

  7. #7

    Default Re: sFTP nologin

    what about the scponly shell, found in /usr/ports/shells ??

    I have no experience with it, but you may want to create a user to use
    that shell and transfer the files for you.....

    Here's the pkg-descr


    stevenpeek$ more pkg-descr
    [Excerpted from the README:] "scponly" is an alternative "shell" (of sorts)
    for system administrators who would like to provide access to remote
    users to
    both read and write local files without providing any remote execution
    privileges. Functionally, it is best described as a wrapper to the
    tried-and-true ssh suite.

    scponly validates remote requests by examining the third argument passed
    to the
    shell upon login. (The first argument is the shell itself, and the
    second is
    -c.) The only commands allowed are "scp", "sftp-server" and "ls".
    Arguments
    to these commands are passed along unmolested.

    WWW: http://www.sublimation.org/scponly/


     
    Steven Guest

  8. #8

    Default Re: sFTP nologin

    I experimented with this quite a while ago (~ 2001) and don't remember all the
    details, but I used scponly and had to prevent the "Welcome to FreeBSD..."
    text from being shown. That was the message too long problem IIRC. It worked
    with at least WinSCP and gFTP as clients.

    You could also consider pulling an stunnel over ordinary ftpd and have no shh
    access at all except for people who need or are granted shell access. It's
    not hard to set up, you basically deal with it as if it were a proxy.

    HTH,

    Dan
    Danny Guest

  9. #9

    Default Re: sFTP nologin

    > Yes, been trying that all morning. sbin/nologin kills the connection after 

    'nologin' will work for 'ftp' and things that don't require a password
    ( i.e. `sudo -u user -s`)

    'scponly' is the correct solution for limiting users to scp or sftp.
    I use it extensively in production for setting up secure, automated
    file transfers (w/ key auth).

    Once 'scponly' is installed, it should be a simple matter of adding
    'scponly' to /etc/shells and configuring your user's shell
    accordingly.

    - jw
    Jeff Guest

  10. #10

    Default Re: sFTP nologin

    > On Fri, 25 Mar 2005 19:53:12 -0500, Grant Peel <com> wrote: 

    If you want 'chroot' functionality read the Makefile. The default
    build behavior is 'undefined' for chroot.

    Once you have scponly built to your needs, all you need is to add
    'scponly' ('scponlyc') to /etc/shells and change your users shell
    accordingly. (see manpage for more info)

    -jw
    Jeff Guest

  11. #11

    Default Re: sFTP nologin


    * Grant Peel [2005-03-25 09:19 -0500] 


    I'm using this shell-script as a "nologin"-shell:

    -------------
    #!/bin/sh
    if [ "$1" = "-c" -a "$2" = "/usr/libexec/sftp-server" ]; then

    exec /bin/sh "$"

    else

    echo "You are not allowed to login"
    sleep 2
    exit 0

    fi
    -------------


    This will allow sftp, but not shell login (or scp)


    Svein Guest

Similar Threads

  1. SFTP with CS3?
    By pwatvu in forum Macromedia Contribute Connection Administrtion
    Replies: 1
    Last Post: June 12th, 09:13 AM
  2. mac os x ftp not sftp??
    By xah@xahlee.org in forum Linux / Unix Administration
    Replies: 8
    Last Post: August 16th, 03:22 PM
  3. Help with Net::SFTP when sftp on unix works.
    By Ree-Yees in forum PERL Modules
    Replies: 1
    Last Post: September 21st, 07:39 PM
  4. Net::SFTP
    By April in forum PERL Modules
    Replies: 2
    Last Post: February 16th, 07:44 PM
  5. cwd with Net::SFTP
    By Inna in forum PERL Modules
    Replies: 4
    Last Post: July 24th, 11:57 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139