From owner-freebsd-questions Wed Jul 17 15:45:12 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5DDE37B400 for ; Wed, 17 Jul 2002 15:45:08 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 959F543E42 for ; Wed, 17 Jul 2002 15:45:07 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.5/8.12.5) with ESMTP id g6HMj2bo099441; Wed, 17 Jul 2002 23:45:02 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.5/8.12.5/Submit) id g6HMivY3099440; Wed, 17 Jul 2002 23:44:57 +0100 (BST) Date: Wed, 17 Jul 2002 23:44:57 +0100 From: Matthew Seaman To: Ken McGlothlen Cc: questions@FreeBSD.ORG Subject: Re: scp and non-shell accounts. Message-ID: <20020717224456.GA99131@happy-idiot-talk.infracaninophi> References: <86n0sqxdo9.fsf@ralf.artlogix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86n0sqxdo9.fsf@ralf.artlogix.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 17, 2002 at 02:11:34PM -0700, Ken McGlothlen wrote: > I have one system where my users have shell accounts and hang out > on. This has an Apache server installed as a staging server. I > have another system which is the production webserver. > I want my users to be able to transfer files to the production > webserver using scp or sftp, but not to have shell access on the > production webserver. > So on the production machine, each of these users has a home > directory, and a shell of /sbin/nologin. Unfortunately as you've observed, that won't work. You have to have a valid shell in order to use scp or sftp. > Do I really have to permit shell access for these accounts in order > to use scp or sftp? No. You can get around that, but it's not particularly pretty. It's also probably not completely impervious to a clever hacker. You need to do the following: i) Insist that the only authentication method permitted for accessing the production server is via ssh public/private key pairs. Remove the password crypt text from /etc/master.passwd -- replace with '*' or somesuch, so password authentication is impossible. ii) Get your users to generate public/private key pairs. Install the public keys into the appropriate ${HOME}/.ssh/authorized-keys files, but use the forced command feature, by prefixing the line with command="scp -i ...." ssh-rsa AAAAB3NzaC1y.... See the sshd(8) man page for some other authorized-keys options you may want to use. The exact entry you write into the forced command will depend on the setup of your system. Note that the command that is run is precisely as specified in the 'command="..."' text, so unless you want your users to always copy the same files each time, you'll need to force running a shell script which can examine the SSH_ORIGINAL_COMMAND environment variable, verify that it is a permissible command and if so, execute it. Make sure the authorized-keys files and any containing directories up to the root directory are readable but not writable by the users. An alternative method is to not permit your users to do the copy themselves. Set up an area that your users can write to on the staging server which is a mirror of the document tree on the production server. Then set up a cron job to rsync from the staging to the production server at regular intervals to copy over you users' changes to production. Even better: have your users check their files into CVS, and have the production server check them out at regular intervals. That's a method used on a certain website that should be familiar to all readers here... Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message