// you’re reading...

Tips N Tricks

Secure File Transfer without Secure Shell

FTP (File Transfer Protocol) is the de-facto but unsecure method to transfer files. SSH (Secure Shell) and its family of services like SCP (Secure Copy) and SFTP (Secure FTP) allows you shell (telnet like) access as well as file transfer via SCP and SFTP, securely. By “securely” I mean the data is that flows across is encrypted including the username and password. SSH is a popular protocol for shell access and file transfer in the Linux world.

So given a choice, SCP/SFTP is a better option in terms of “security”. But enabling SFTP/SCP enables, by default, shell access too. Recently for one of my clients, the requirement was to use SCP instead of FTP while blocking shell access so that no user is able to login, in curiosity, nor could execute any program/script on the server, even by mistake. All they could do is to copy files across – from their desktop to the server and vice versa.  But, I could not find anything in  SSH configuration that barred SSH, while still allowing SCP.

The solution lied outside SSH and was trivial. It is called scponly. scponly is a shell program, just like Bash, Ksh which barrs shell access via SSH. I had CentOS 5.2 running on the client’s server. scponly RPM was not available from the CentOS repositories. I then setup the RPMForge repository as follows:

rpm -ivh http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Note that the above setup is specific to CentOS 5. Subsequently, I installed scponly as:

yum install scponly

Next, the shell of all the users, who are barred SSH access, must be set to /usr/bin/scponly. For existing users there are two ways to do it:

Method 1: Using usermod (Recommended)
Login as root and issue the following command:

usermod –shell /usr/bin/scponly <username>

Substitue <username> with the name of the user who will be barred shell access

Method 2: Edit /etc/passwd
Login as root and open the file named passwd, found in /etc directory, in a text editor. The file contains entry for each user on a seperate line along with their shell name. For example:

<username>:x:506:508::/home/<username>:/bin/bash

Replace /bin/bash with /usr/bin/scponly. Save the file. This will change the shell of the user named <username> to scponly.

For new users
For new users you can set the shell to scponly while creating the user via useradd command:

useradd –shell /usr/bin/scponly <username>

Once done, when one (who is barred the shell access) tries to SSH, he/she will be able to proceed upto the point of the password prompt. At the prompt, even after supplying a correct password, he/she will not be dropped into a shell. In fact it will appear as if the SSH login has hung – no errors, no access denied messages.

GD Star Rating
loading...
GD Star Rating
loading...
  • Share/Bookmark

Email This Post Email This Post Print This Post Print This Post Post A Comment Post A Comment Tweet your comments/question to me @shekharg

Discussion

4 comments for “Secure File Transfer without Secure Shell”

  1. how to see shell file of any website ?
    whr
    username
    password
    are make it self safe……

    GD Star Rating
    loading...

    Posted by max payne | September 19, 2009, 12:45 am
  2. what is root directory ?

    GD Star Rating
    loading...

    Posted by max payne | September 19, 2009, 12:46 am
  3. Hi Max Payne,

    how to see shell file of any website ?

    You cannot see shell of any website. To see or access the shell of a website, the website owner must be running a service like SSH or Telnet

    what is root directory ?

    In Linux/Unix the root directory refers to the / (the topmost directory). Think of it as C:\ (as in Windows)

    GD Star Rating
    loading...

    Posted by Shekhar | September 22, 2009, 8:53 am
  4. can u tell me all about domain and c-panel…….
    some of
    php my admin
    webmail
    my admin

    GD Star Rating
    loading...

    Posted by max payne | September 26, 2009, 11:58 pm

Post a comment

shekharg: RT @aseemsood: Good news today - Delhi Metro Link between C-Sec and Qutub Minar opens today. http://bit.ly/bCXTbw
17 hours ago, comment
shekharg: I disagree, Twidroyd is the best RT @TweetDeck: New Android TweetDeck Beta is so great that we've skipped v6 & gone straight to 7!
11:05 AM Sep 02, 2010, comment
shekharg: Check out this UI http://nyti.ms/cr0Wcg
10:38 AM Sep 02, 2010, comment
shekharg: Let's declare Gurgaon a part of Pakistan till #CWG2010, to keep away the visitors from seeing the condition of roads here
9:34 AM Sep 02, 2010, comment
shekharg: RT @TechCrunch: Google Making Extraordinary Counteroffers To Stop Flow Of Employees To Facebook - http://tcrn.ch/bpdbYT by @arrington
2:18 PM Sep 01, 2010, comment