Restricting Secure Copy

From: Ettiene Detroit (edetroit@kiss.my.ass.spammer.com)
Date: 02/26/02

• Next message: Simon Tatham: "Re: Base-64 and key format in general"
• Previous message: those who know me have no need of my name: "Re: rsh-passthru not enabled for this user"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Ettiene Detroit <edetroit@kiss.my.ass.spammer.com>
Date: Mon, 25 Feb 2002 21:46:16 -0800

I searched on the web and did not find this mentioned anywhere so...

I am setting up a system to allow a secure file transfers from a client
to my employer's servers. Depending on how the negotiations turn out we
will either push the return data back or they will pull it. I am
proposing to use openssh and scp with public key authentication to do
the file transfers.
 
After experimenting with chrooting the ssh login I hit upon using smrsh
to restrict the commands a client could run. I set the user shell to
/bin/smrsh and restricted the command set to scp only. I have tested
this for both push and pull and it works nicely. So far I have been
unable to break it and run anything other than scp but there are
probably tricks I do not know about.

I have two questions:

1. Does anyone know of a way to break this and actually get a login
shell or run other commands?

2. Is there anyway to prevent the client from pulling data from
directories outside of their directory tree?

The grapevine tells me that the competition has suggested using Cisco
routers and IPSEC to establish tunnels between networks. I am not averse
to this (I've done it before and it looks good on a resume :-) but if I
can get this ssh trick to work we can probably come in at a lower bid.

-- Stephen Carville http://www.heronforge.net/~stephen/gnupgkey.txt
==============================================================
Government is like burning witches: After years of burning young
women failed to solve any of society's problems, the solution was to
burn more young women.
==============================================================

---

• Next message: Simon Tatham: "Re: Base-64 and key format in general"
• Previous message: those who know me have no need of my name: "Re: rsh-passthru not enabled for this user"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Restricting Secure Copy ... > I am setting up a system to allow a secure file transfers from a client ... > to restrict the commands a client could run. ... > /bin/smrsh and restricted the command set to scp only. ... chroot cage. ... (comp.security.ssh) Re: file copying ... Remote Desktop has high bandwidth requirements ... Such that little upstream bandwidth is left for file transfers ... thankyou for that, how do i setup ftp server + client, do i have to set up server on pc with files i require and client on pc i need to copy to. ... (uk.comp.homebuilt) Re: Refer to Mobile Device from XP ... while file transfers using an activesync connection are possible, the basic windows mobile design is that ppc's are "client only" os's, so, without external software, the ppc's file system is not accessible using other client software. ... (microsoft.public.pocketpc) strange error message when pushing a file using scp ... When I SCP a file the file transfers but I get the error "protocol error: ... (SSH) slow file transfer ... we've gotta do it all again. ... One big file transfers fine, but a lot of small files takes forever. ... to client is fine. ... Client to server is deathly slow. ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.ssh  > 2002-02