How to restrict SSH users to block SCP/SFTP? - Unix

This is a discussion on How to restrict SSH users to block SCP/SFTP? - Unix ; Hi, This is my first posting this group so please redirect me to right group if this posting is not relevant here. I want to allow my users to SSH to my server but I want to block them from ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: How to restrict SSH users to block SCP/SFTP?

  1. How to restrict SSH users to block SCP/SFTP?

    Hi,

    This is my first posting this group so please redirect me to right
    group if this posting is not relevant here.

    I want to allow my users to SSH to my server but I want to block them
    from using SCP or SFTP.

    Please tell me if it is possible.

    Kind Regards,
    -Abhishek

  2. Re: How to restrict SSH users to block SCP/SFTP?

    On 2008-04-14, AbhishekM wrote:
    > Hi,
    >
    > This is my first posting this group so please redirect me to right
    > group if this posting is not relevant here.
    >
    > I want to allow my users to SSH to my server but I want to block them
    > from using SCP or SFTP.
    >
    > Please tell me if it is possible.
    >

    sftp might be possible. scp is not. scp looks no different to the
    server than an ssh session; it's not possible to tell the two apart.

    --
    Christopher Mattern

    NOTICE
    Thank you for noticing this new notice
    Your noticing it has been noted
    And will be reported to the authorities

  3. Re: How to restrict SSH users to block SCP/SFTP?

    AbhishekM wrote:
    > Hi,
    >
    > This is my first posting this group so please redirect me to right
    > group if this posting is not relevant here.
    >
    > I want to allow my users to SSH to my server but I want to block them
    > from using SCP or SFTP.
    >
    > Please tell me if it is possible.
    >
    > Kind Regards,
    > -Abhishek


    Yes, part of the format for keys in the
    "authorized_keys" includes the sort of restriction
    you are talking about. You can add
    command="command" to the key.
    This "Specifies that the command is executed whenever
    this key is used for authentication. The command
    supplied by the user (if any) is ignored."

    You can also configure the sshd daemon to ignore
    any commands (such as scp) and force a login shell.
    See the man pages for sshd and sshd_config for details.

    -Wayne

  4. Re: How to restrict SSH users to block SCP/SFTP?

    On Mon, 14 Apr 2008 02:51:33 -0700 (PDT), AbhishekM wrote:
    >
    > I want to allow my users to SSH to my server but I want to block them
    > from using SCP or SFTP.
    >


    http://sublimation.org/scponly/wiki/index.php/Main_Page

    Despite its name, it does scp and sftp.

    Helmut

    --
    Almost everything in life is easier to get into than out of.
    (Agnes' Law)

  5. Re: How to restrict SSH users to block SCP/SFTP?

    On Mon, 14 Apr 2008 02:51:33 -0700 (PDT), AbhishekM wrote:
    >
    > I want to allow my users to SSH to my server but I want to block them
    > from using SCP or SFTP.
    >


    After reading your post more carfully, I see you want to do quite the
    opposite of what people usually want (no shell but sftp/scp).

    Well now - I can only guess what train of thought lead you to consider
    such a setup, but copying data will always be possible if a shell is
    provided:

    ssh user@host 'cat /some/where/whatiwant.txt' > igotit.txt

    So disabling scp/sftp (which probably could be done in some ugly way)
    will annoy users, but data will still leave your server if a user
    wishes to do so.

    Helmut

    --
    Almost everything in life is easier to get into than out of.
    (Agnes' Law)

  6. Re: How to restrict SSH users to block SCP/SFTP?

    On Apr 15, 2:18 am, Helmut Kreft wrote:
    > On Mon, 14 Apr 2008 02:51:33 -0700 (PDT), AbhishekM wrote:
    >
    > > I want to allow my users to SSH to my server but I want to block them
    > > from using SCP or SFTP.

    >
    > After reading your post more carfully, I see you want to do quite the
    > opposite of what people usually want (no shell but sftp/scp).
    >
    > Well now - I can only guess what train of thought lead you to consider
    > such a setup, but copying data will always be possible if a shell is
    > provided:
    >
    > ssh user@host 'cat /some/where/whatiwant.txt' > igotit.txt
    >
    > So disabling scp/sftp (which probably could be done in some ugly way)
    > will annoy users, but data will still leave your server if a user
    > wishes to do so.
    >
    > Helmut
    >
    > --
    > Almost everything in life is easier to get into than out of.
    > (Agnes' Law)


    Hi Guys,

    Thanks for your response. Now I understand that if I am allowing ssh
    then scp (or file transfer) is implicitly allowed. Therefore it is not
    possible to restrict user to copy data if he really wants to.

    Kind Regards,
    -Abhishek

+ Reply to Thread