openssh public Key Athentication - with restrickted login shell

Hi,

I'd like too use scp to transfer data to a Linux box out of a perl script using public key authentication(with no passphrase:-( ).
As long as the used userid has a regular account on that server everything works fine.
But for higher security I'd like the user not to be able to login, so I gave him a "nologin shell" in the /etc/paswd. In this case its also inposible
to authenticate as before.
So I thought it should be a working but restricted "login shell", which is sufficient enough for that user complete the authentication and to do its scp file transfer, nothing else.
Any idea?

Thanks in advance

Jannis






------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

If you can use sftp rather than scp you can set the shell to

/usr/libexec/openssh/sftp-server

(choose your location)

and that chroots the sftp to the home directory.

Robin


2009/11/5 Jannis Kafkoulas <jasecml@...>:
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Hi Jannis,

I have used 'scponly' previously in order to do this:

http://sublimation.org/scponly/wiki/index.php/Main_Page

Chris

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Jannis Kafkoulas
Sent: Thursday, 5 November 2009 11:27 PM
To: security-basics@...
Subject: openssh public Key Athentication - with restrickted login shell

Hi,

I'd like too use scp to transfer data to a Linux box out of a perl script using public key authentication(with no passphrase:-( ).
As long as the used userid has a regular account on that server everything works fine.
But for higher security I'd like the user not to be able to login, so I gave him a "nologin shell" in the /etc/paswd. In this case its also inposible
to authenticate as before.
So I thought it should be a working but restricted "login shell", which is sufficient enough for that user complete the authentication and to do its scp file transfer, nothing else.
Any idea?

Thanks in advance

Jannis




     

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------






------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Jannis Kafkoulas wrote:
> Hi,
>
> I'd like too use scp to transfer data to a Linux box out of a perl script using public key authentication(with no passphrase:-( ).
> As long as the used userid has a regular account on that server everything works fine.
> But for higher security I'd like the user not to be able to login, so I gave him a "nologin shell" in the /etc/paswd. In this case its also inposible
> to authenticate as before.
> So I thought it should be a working but restricted "login shell", which is sufficient enough for that user complete the authentication and to do its scp file transfer, nothing else.
> Any idea?
>  
Specify a command for that public key to run on connection. I use
something like this on some of my machines to allow a particular key to
only scp a particular file.
command="sh -c 'scp -t /home/username/filename'" ssh-dss
ABCD....ufHlMaTj7= my openssh public key

You can find out exactly what command you need to use in authorized_keys
by running 'scp -v' on the client side. One of the things it prints out
is the name of the command that it is trying to run. I have not set the
login shell for my username to nologin but I would presume that you
should be able to do that and still have the scp working.

--
Thanks,
  Phill Macey (CiSRA IT Services)


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------