From owner-freebsd-questions Fri Oct 12 22:21:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from robin.mail.pas.earthlink.net (robin.mail.pas.earthlink.net [207.217.120.65]) by hub.freebsd.org (Postfix) with ESMTP id C2F1537B40D for ; Fri, 12 Oct 2001 22:21:10 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.143.238.Dial1.SanJose1.Level3.net [209.245.143.238]) by robin.mail.pas.earthlink.net (8.11.5/8.9.3) with ESMTP id f9D5KiT04134; Fri, 12 Oct 2001 22:20:51 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f9D5KQJ07501; Fri, 12 Oct 2001 22:20:26 -0700 (PDT) (envelope-from cjc) Date: Fri, 12 Oct 2001 22:20:25 -0700 From: "Crist J. Clark" To: Francisco Reyes Cc: FreeBSD Questions List Subject: Re: Automating ssh connections so only one command would run. Message-ID: <20011012222025.I6274@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011011224233.G293@blossom.cjclark.org> <20011013005710.A10822-100000@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011013005710.A10822-100000@zoraida.natserv.net>; from lists@natserv.com on Sat, Oct 13, 2001 at 12:59:00AM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Oct 13, 2001 at 12:59:00AM -0400, Francisco Reyes wrote: > On Thu, 11 Oct 2001, Crist J. Clark wrote: > > > On Thu, Oct 11, 2001 at 11:38:34PM -0400, Francisco Reyes wrote: > > > I followed several tutorials on how to automate ssh connections, but I > > > would like to restrict the connection so only scp would run. > > > > scp(1) and ssh(1) are not really designed to work this way. Even if > > you can limit users to scp(1), > > Do you know? That is what I am trying to find. > > > >it is trivial to slip commands through scp(1), > >$ scp 'remote:somefile;touch /tmp/scp_test' . > > And check for /tmp/scp_test on the remote machine. > > I don't see how this is a security problem. Could you explain? I presume you want to limit people to scp(1) so they do not have full shell access; they can't execute arbitrary commands on the remote machine. With scp(1), you can do, $ cat > command.sh < exec > command.out 2>&1 > > EOF $ scp command.sh remote: $ scp 'remote:nonexistent; /bin/sh command.sh' . $ scp remote:command.out . $ more command.out Actually, you don't need the last step, but I thought you might like to get your data back. > Automating scp may not be the most secure way to copy data, but is there a > better way? scp = ssh = shell access. But I may have misunderstood what you are trying to achieve. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message