secure file uploading with scponly
November 23, 2008
If you’re administrating Linux servers you may need someone or some script to copy files onto your server. You could now install a special service like a ftp server or you could use a normal ssh user for this. The problem with the first is that you need an extra service which adds complexity and also provides an additional attack vector. The problem with the normal ssh user is that you provide the script or user functionally on your server that he/it does not need for his/its work (like exciting programs) – this is never a good idea.
What I recommend for this is a program called scponly. It does basically what the name says, if a ssh user has it set as its shell the user is only able to use scp functionality. Ubuntu and Debian provide a package for it but you should read an article like this one to know to setup it up securely. For example it is a really bad idea to allow the user to write into his home directory as a writable home directory will make it possible for the user to subvert scponly by modifying ssh configuration files.
1 Comment »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress
Entries and comments feeds.
Valid XHTML and CSS.
36 queries. 0.048 seconds.
[…] A nice way to limit secure file copy using ssh. secure file uploading with scponly | Robert Penz Blog […]
Pingback by Interesting Information Security Bits for 11/24/2008 at Infosec Ramblings — November 24, 2008 #