DragonFly On-Line Manual Pages

scponly(8)             DragonFly System Manager's Manual            scponly(8)

NAME
     scponly

SYNOPSIS
     scponly - limited shell for secure file transfers

DESCRIPTION
     scponly is an alternative "shell" (of sorts) for system administrators
     who would like to provide access to remote users to both read and write
     local files without providing any remote execution privileges.
     Functionally, it is best described as a wrapper to the trusted suite of
     ssh applications.

     A typical usage of scponly is in creating a semi-public account not
     unlike the concept of anonymous login for ftp.  This allows an
     administrator to share files in the same way an anonymous ftp setup
     would, only employing all the protection that ssh provides.  This is
     especially significant if you consider that ftp authentications traverse
     public networks in a plaintext format.

     Instead of just a single anonymous user, scponly supports configuring
     potentially many users, each of which could be set up to provide access
     to distinct directory trees.  Aside from the installation details, each
     of these users would have their default shell in /etc/passwd set to
     "/usr/local/bin/scponly" (or wherever you choose to install it).  This
     would mean users with this shell can neither login interactively or
     execute commands remotely.  They can however, scp files in and out,
     governed by the usual Unixish file permissions.

FEATURES
     *   Logging: scponly logs time, client IP address, username, and the
         actual request to syslog.

     *   chroot: scponly can chroot to the user's home directory (or any other
         directory the user has permissions for), disallowing access to the
         rest of the filesystem.

     *   sftp compatibility:  My testing of sftp against an scponly user
         worked great.  This is probably the cleanest and most usable way for
         an scponly user to access files.

     *   Security checks:  root login is disallowed (though root should never
         be configured to be using scponly as the default shell.)

     *   WinSCP 2.0 compatibility: scponly can be compiled in WinSCP
         compatibility mode that will permit a "semi-interactive" shell that
         WinSCP can use.

     *   gftp compatibility: scponly is compatible with gftp if you set "use
         ssh2 sftp subsys" in your gftp options.

     scponly doesn't do anything to manage read/write permissions.  The ssh
     applications already do that just fine.  If you use scponly, be aware
     that good old Unix-style file permissions are still doing the work of
     protecting your files.

NOTES
     *   As recent as June 26, 2002, vulnerabilities have been discovered in
         OpenSSH.  There is also a SSH1 protocol vulnerability.  If you're
         going to use scponly , be aware it is no more secure than the ssh
         installation it runs on.

     *   I've since discovered that ssh.com's commercial ssh offering supports
         BOTH "dummy users" as well as functionality paralleling scponly.  I
         have not been able to find any notes on these features, but I did
         read that they exist.  I will make a point to include more
         information later.  It appears that OpenSSH does not yet support
         these features.  At this time, I have no plans to end-of-life
         scponly, though ultimately, I recognize that scponly should
         eventually become just a feature of whichever sshd you may run.

FILES
     /usr/local/bin/scponly            The default location for the shell
                                       itself.
     /usr/local/sbin/scponlyc          The default location for the chrooted
                                       version of scponly
     /etc/shells                       To be a proper shell, it has to be
                                       included here.

SEE ALSO
     chroot(2), ssh(1), scp(1), sftp(1), shells(5), sshd(8).

AUTHORS
     Joe Boyle <joe@sublimation.org>.

LEGALITIES
     Copyright (C) 2001, 2002, 2003
     Joe Boyle <joe@sublimation.org>.

     Redistribution and use in source and binary forms, with or without
     modification, are permitted provided that the following conditions are
     met:

     1. Redistributions of source code must retain the above copyright notice,
     this list of conditions and the following disclaimer.

     2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the
     documentation and/or other materials provided with the distribution.

     THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
     IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
     OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
     IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
     INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
     THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
     THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

BUGS
     Versions prior to 2.4 have a vulnerability wherein the .ssh/environment
     file can be used to override $PATH and $LD_LIBRARY_PATH vars,
     compromising the shell.

                                 Sept 03, 2002