forked from scponly/scponly
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathscponly.8.alternate_manpage
127 lines (120 loc) · 4.8 KB
/
scponly.8.alternate_manpage
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
.TH scponly 8 "Sept 04, 2002" ""
.SH NAME
\fBscponly\fP
.SH SYNOPSIS
\fBscponly\fP
\- limited shell for secure file transfers
.SH DESCRIPTION
\fBscponly\fP
is an alternative "shell" (of sorts) for system administrators who would like
to provide access to remote users to both read and write local files without
providing any remote execution privileges. Functionally, it is best described
as a wrapper to the trusted suite of ssh applications.
A typical usage of
\fBscponly\fP
is in creating a semi-public account not unlike the concept of anonymous login
for ftp. This allows an administrator to share files in the same way an
anonymous ftp setup would, only employing all the protection that ssh provides.
This is especially significant if you consider that ftp authentications
traverse public networks in a plaintext format.
Instead of just a single anonymous user,
\fBscponly\fP
supports configuring potentially many users, each of which could be set
up to provide access to distinct directory trees. Aside from the installation
details, each of these users would have their default shell in /etc/passwd set
to "/usr/local/bin/scponly" (or wherever you choose to install it). This
would mean users with this shell can neither login interactively or execute
commands remotely. They can however, scp files in and out, governed by the
usual Unixish file permissions.
.SH FEATURES
.IP \(bu
Logging:
\fBscponly\fP
logs time, client IP address, username, and the actual request to syslog.
.IP \(bu
chroot:
\fBscponly\fP
can chroot to the user's home directory (or any other directory the user has
permissions for), disallowing access to the rest of the filesystem.
.IP \(bu
sftp compatibility:
\fBscponly\fP
is fully compatible with sftp.
.IP \(bu
Security checks: root login is disallowed, seteuid after chroot.
.IP \(bu
WinSCP compatibility:
\fBscponly\fP
can be compiled in WinSCP compatibility mode that will permit a
"semi-interactive" shell that WinSCP can use.
.IP \(bu
gftp compatibility.
\fBscponly\fP is also fully compatible with gFTP in sftp mode.
\fBscponly\fP
doesn't do anything to manage read/write permissions. The ssh applications
already do that just fine. If you use
\fB,\fP
be aware that good old Unix-style file permissions are still doing the work of
protecting your files.
.SH NOTES
.IP \(bu
As recent as June 26, 2002, vulnerabilities have been
discovered in OpenSSH. There is also a SSH1 protocol vulnerability. If
you're going to use
\fB,\fP
, be aware it is no more secure than the ssh installation it runs on.
.IP \(bu
I've since discovered that ssh.com's commercial ssh offering supports BOTH
"dummy users" as well as functionality paralleling
\fB.\fP
I have not been able to find any notes on these features, but I did read that
they exist. I will make a point to include more information later. It appears
that OpenSSH does not yet support these features. At this time, I have no
plans to end-of-life
\fB,\fP
though ultimately, I recognize that
\fB,\fP
should eventually become just a feature of whichever sshd you may run.
.SH FILES
.TP
.B /usr/local/bin/scponly
The default location for the shell itself.
.TP
.B /usr/local/sbin/scponlyc
The default location for the chrooted version.
.TP
.B /etc/shells
To be a proper shell, it has to be included here.
.SH SEE ALSO
\fBchroot\fP(2),
\fBssh\fP(1),
\fBscp\fP(1),
\fBsftp\fP(1),
\fBshells\fP(5),
\fBsshd\fP(8).
.SH AUTHORS
An Joe Boyle Aq [email protected] .
.SH LEGALITIES
Copyright (C) 2001, 2002, 2003
An Joe Boyle Aq [email protected] .
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.
.SH BUGS
Versions prior to 2.4 were susceptible to shell circumvention via the
$HOME/.ssh/environment file which allowed perversion of LD_LIBRARY_PATH and PATH
environment variables.