Date: Wed, 17 Jul 2002 23:44:57 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Ken McGlothlen <mcglk@artlogix.com> Cc: questions@FreeBSD.ORG Subject: Re: scp and non-shell accounts. Message-ID: <20020717224456.GA99131@happy-idiot-talk.infracaninophi> In-Reply-To: <86n0sqxdo9.fsf@ralf.artlogix.com> References: <86n0sqxdo9.fsf@ralf.artlogix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 17, 2002 at 02:11:34PM -0700, Ken McGlothlen wrote:
> I have one system where my users have shell accounts and hang out
> on. This has an Apache server installed as a staging server. I
> have another system which is the production webserver.
> I want my users to be able to transfer files to the production
> webserver using scp or sftp, but not to have shell access on the
> production webserver.
> So on the production machine, each of these users has a home
> directory, and a shell of /sbin/nologin.
Unfortunately as you've observed, that won't work. You have to have a
valid shell in order to use scp or sftp.
> Do I really have to permit shell access for these accounts in order
> to use scp or sftp?
No. You can get around that, but it's not particularly pretty. It's
also probably not completely impervious to a clever hacker. You need
to do the following:
i) Insist that the only authentication method permitted for
accessing the production server is via ssh public/private key
pairs. Remove the password crypt text from /etc/master.passwd
-- replace with '*' or somesuch, so password authentication is
impossible.
ii) Get your users to generate public/private key pairs.
Install the public keys into the appropriate
${HOME}/.ssh/authorized-keys files, but use the forced command
feature, by prefixing the line with
command="scp -i ...." ssh-rsa AAAAB3NzaC1y....
See the sshd(8) man page for some other authorized-keys options
you may want to use.
The exact entry you write into the forced command will depend
on the setup of your system. Note that the command that is
run is precisely as specified in the 'command="..."' text, so
unless you want your users to always copy the same files each
time, you'll need to force running a shell script which can
examine the SSH_ORIGINAL_COMMAND environment variable, verify
that it is a permissible command and if so, execute it.
Make sure the authorized-keys files and any containing
directories up to the root directory are readable but not
writable by the users.
An alternative method is to not permit your users to do the copy
themselves. Set up an area that your users can write to on the
staging server which is a mirror of the document tree on the
production server. Then set up a cron job to rsync from the staging
to the production server at regular intervals to copy over you users'
changes to production.
Even better: have your users check their files into CVS, and have the
production server check them out at regular intervals. That's a
method used on a certain website that should be familiar to all
readers here...
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Tel: +44 1628 476614 Marlow
Fax: +44 0870 0522645 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020717224456.GA99131>