From owner-freebsd-questions Wed Jul 17 16:40:27 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A0FA37B400 for ; Wed, 17 Jul 2002 16:40:24 -0700 (PDT) Received: from gadolinium.btinternet.com (gadolinium.btinternet.com [194.73.73.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3F8643E65 for ; Wed, 17 Jul 2002 16:40:23 -0700 (PDT) (envelope-from waynep@penguinpowered.org.uk) Received: from host217-36-11-193.in-addr.btopenworld.com ([217.36.11.193] helo=marvin.penguinpowered.org.uk) by gadolinium.btinternet.com with esmtp (Exim 3.22 #8) id 17UyP2-00046z-00; Thu, 18 Jul 2002 00:40:16 +0100 Received: from [192.168.10.12] (helo=set.home.penguinpowered.org.uk) by marvin.penguinpowered.org.uk with esmtp (Exim 3.33 #1) id 17UyVe-0005al-00; Thu, 18 Jul 2002 00:47:06 +0100 Received: from waynep by set.home.penguinpowered.org.uk with local (Exim 3.34 #1) id 17UzL1-0000FE-00; Thu, 18 Jul 2002 00:40:11 +0000 From: Wayne Pascoe To: Ken McGlothlen Cc: questions@freebsd.org Subject: Re: scp and non-shell accounts. References: <86n0sqxdo9.fsf@ralf.artlogix.com> Date: 18 Jul 2002 00:40:11 +0000 In-Reply-To: <86n0sqxdo9.fsf@ralf.artlogix.com> Message-ID: Lines: 41 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Civil Service) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ken McGlothlen writes: > I want my users to be able to transfer files to the production > webserver using scp or sftp, but not to have shell access on the > production webserver. > > So on the production machine, each of these users has a home directory, and a > shell of /sbin/nologin. > > The problem is, this seems to trounce scp and sftp. I get > > wibble@staging:~(1)$ scp transfer.txt wibble@prod:~ > wibble@prod's password: [type password] > > This account is currently not available. [from /sbin/nologin] > wibble@staging:~(2)$ sftp prod > Connecting to prod... > wibble@prod's password: [type password] > Received message too long 173237622 > wibble@staging:~(3)$ _ > > Do I really have to permit shell access for these accounts in order > to use scp or sftp? You do have to permit shell access, but you can use a nice restrictive shell. I can't remember where I found it originally (Byron - If you're reading this can you post the location), but there is a shell out there called scponly. Using this means that scp functions work ok but a user cannot actually login to the machine. This I hope will suit your purpose? If you can't find it on google, mail me and I'll hunt out the URL. Regards, -- - Wayne Pascoe - http://www.penguinpowered.org.uk/wayne/ I'm from Iowa. I just work in space. Admiral Kirk - Star Trek IV To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message