From owner-freebsd-questions Sat Dec 9 22:42:44 2000 From owner-freebsd-questions@FreeBSD.ORG Sat Dec 9 22:42:42 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from everest.iowaone.net (everest.iowaone.net [12.13.110.22]) by hub.freebsd.org (Postfix) with SMTP id AE6B637B400 for ; Sat, 9 Dec 2000 22:42:41 -0800 (PST) Received: (qmail 1540 invoked from network); 10 Dec 2000 06:50:26 -0000 Received: from everest.iowaone.net (12.13.110.22) by everest.iowaone.net with SMTP; 10 Dec 2000 06:50:26 -0000 Date: Sun, 10 Dec 2000 00:50:26 -0600 (CST) From: "Nicolai L. Brown" To: Nicolas Cc: Subject: Re: scp only In-Reply-To: <005201c0622c$93aff800$0364000a@rachinsky.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 9 Dec 2000, Nicolas wrote: > I'm sorry but none of your solutions works. /bin/false as shells > denies any access via ssh (including scp) ~/.login containing logout > could be circumvented by starting another command (e.g. /bin/sh) via > ssh. Nicolas How? If their ~/.login contains 'logout', and they don't have access to overwrite it, they can't execute anything else. Maybe I'm missing something, show me how you are doing this. Nicolai > ----- Original Message ----- > From: "Bill Paul" > To: "Nicolai L. Brown" > Cc: > Sent: Friday, December 08, 2000 9:23 PM > Subject: Re: scp only > > > > > > > > On Fri, 8 Dec 2000, Nicolas wrote: > > > > > > > Hallo, > > > > > > > > I want to let a user upload files via scp to one of my machines, but i > > > > don't want to give him the possibility to log in or start any programs > > > > except scp. Is there any easy way to achieve this. I can't find such > > > > an option in the ssh docs. Thanks in advance.. > > > > > > You might try giving them a csh shell, and a ~/.login file containing the > > > word "logout", and owned root:wheel. Also, chown their .cshrc and .tcshrc > > > files to root:wheel, so they cannot overwrite those with their own via > > > scp. > > > > > > Don't know if this is the best solution, but it will work. > > > > No it won't, monkeyboy. Even though the user doesn't have write access > > to the files, he still owns the directory in which they reside. All > > he has to do is FTP in and delete or rename them. Chown'ing the user's > > home directory, would prevent this, but it might screw up other things. > > > > I would set the user's shell to /bin/false instead. I'm not sure > > how sshd will react to this though. > > > > -Bill > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message