Home page logo

basics logo Security Basics mailing list archives

Re: openssh public Key Athentication - with restrickted login shell
From: Phillip Macey <phillip.macey () cisra canon com au>
Date: Wed, 11 Nov 2009 09:30:30 +1100

Jannis Kafkoulas wrote:

I'd like too use scp to transfer data to a Linux box out of a perl script using public key authentication(with no 
passphrase:-( ).
As long as the used userid has a regular account on that server everything works fine.
But for higher security I'd like the user not to be able to login, so I gave him a "nologin shell" in the /etc/paswd. In this case its also inposible to authenticate as before.
So I thought it should be a working but restricted "login shell", which is sufficient enough for that user complete the 
authentication and to do its scp file transfer, nothing else.
Any idea?
Specify a command for that public key to run on connection. I use something like this on some of my machines to allow a particular key to only scp a particular file. command="sh -c 'scp -t /home/username/filename'" ssh-dss ABCD....ufHlMaTj7= my openssh public key

You can find out exactly what command you need to use in authorized_keys by running 'scp -v' on the client side. One of the things it prints out is the name of the command that it is trying to run. I have not set the login shell for my username to nologin but I would presume that you should be able to do that and still have the scp working.

 Phill Macey (CiSRA IT Services)

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]