Tips N Tricks

Secure File Transfer without Secure Shell

FTP (File Transfer Protocol) is the de-facto but unsecure method to transfer files. SSH (Secure Shell) and its family of services like SCP (Secure Copy) and SFTP (Secure FTP) allows you shell (telnet like) access as well as file transfer via SCP and SFTP, securely. By “securely” I mean the data is that flows across is encrypted including the username and password. SSH is a popular protocol for shell access and file transfer in the Linux world.

So given a choice, SCP/SFTP is a better option in terms of “security”. But enabling SFTP/SCP enables, by default, shell access too. Recently for one of my clients, the requirement was to use SCP instead of FTP while blocking shell access so that no user is able to login, in curiosity, nor could execute any program/script on the server, even by mistake. All they could do is to copy files across – from their desktop to the server and vice versa.  But, I could not find anything in  SSH configuration that barred SSH, while still allowing SCP.

The solution lied outside SSH and was trivial. It is called scponly. scponly is a shell program, just like Bash, Ksh which barrs shell access via SSH. I had CentOS 5.2 running on the client’s server. scponly RPM was not available from the CentOS repositories. I then setup the RPMForge repository as follows:

rpm -ivh http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Note that the above setup is specific to CentOS 5. Subsequently, I installed scponly as:

yum install scponly

Next, the shell of all the users, who are barred SSH access, must be set to /usr/bin/scponly. For existing users there are two ways to do it:

Method 1: Using usermod (Recommended)
Login as root and issue the following command:

usermod –shell /usr/bin/scponly <username>

Substitue <username> with the name of the user who will be barred shell access

Method 2: Edit /etc/passwd
Login as root and open the file named passwd, found in /etc directory, in a text editor. The file contains entry for each user on a seperate line along with their shell name. For example:

<username>:x:506:508::/home/<username>:/bin/bash

Replace /bin/bash with /usr/bin/scponly. Save the file. This will change the shell of the user named <username> to scponly.

For new users
For new users you can set the shell to scponly while creating the user via useradd command:

useradd –shell /usr/bin/scponly <username>

Once done, when one (who is barred the shell access) tries to SSH, he/she will be able to proceed upto the point of the password prompt. At the prompt, even after supplying a correct password, he/she will not be dropped into a shell. In fact it will appear as if the SSH login has hung – no errors, no access denied messages.

© 2009 Shekhar Govindarajan’s Blog.