Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Oct 2001 22:20:25 -0700
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        Francisco Reyes <lists@natserv.com>
Cc:        FreeBSD Questions List <questions@FreeBSD.ORG>
Subject:   Re: Automating ssh connections so only one command would run.
Message-ID:  <20011012222025.I6274@blossom.cjclark.org>
In-Reply-To: <20011013005710.A10822-100000@zoraida.natserv.net>; from lists@natserv.com on Sat, Oct 13, 2001 at 12:59:00AM -0400
References:  <20011011224233.G293@blossom.cjclark.org> <20011013005710.A10822-100000@zoraida.natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Oct 13, 2001 at 12:59:00AM -0400, Francisco Reyes wrote:
> On Thu, 11 Oct 2001, Crist J. Clark wrote:
> 
> > On Thu, Oct 11, 2001 at 11:38:34PM -0400, Francisco Reyes wrote:
> > > I followed several tutorials on how to automate ssh connections, but I
> > > would like to restrict the connection so only scp would run.
> >
> > scp(1) and ssh(1) are not really designed to work this way. Even if
> > you can limit users to scp(1),
> 
> Do you know? That is what I am trying to find.
> 
> 
> >it is trivial to slip commands through scp(1),
> >$ scp 'remote:somefile;touch /tmp/scp_test' .
> > And check for /tmp/scp_test on the remote machine.
> 
> I don't see how this is a security problem. Could you explain?

I presume you want to limit people to scp(1) so they do not have full
shell access; they can't execute arbitrary commands on the remote
machine. With scp(1), you can do,

  $ cat > command.sh <<EOF
  > exec > command.out 2>&1
  > <put your arbitrary commands here>
  > EOF
  $ scp command.sh remote:
  $ scp 'remote:nonexistent; /bin/sh command.sh' .
  $ scp remote:command.out .
  $ more command.out

Actually, you don't need the last step, but I thought you might like
to get your data back.

> Automating scp may not be the most secure way to copy data, but is there a
> better way?

scp = ssh = shell access. But I may have misunderstood what you are
trying to achieve.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011012222025.I6274>