Disable SSH Logins on a Linux Box and Allow SCP/SFTP Logins by Using “scponly” October 12, 2012Posted by Tournas Dimitrios in Linux.
All Linux admins are aware of Secure Shell or SSH , a network protocol that allows data to be exchanged using a secure channel between two networked devices . It was designed as a replacement for Telnet and other insecure remote shell protocols (rsh , rcp … ) , which send information in plain-text . When these old protocols were used , all a script-kiddie had to do , was to set his/her network card (NIC) in promiscuous mode , “fire-up” a packet – analyzer and …. Viola … each and every character was displayed on his/her monitor (notably username : passwords) . SSH has different uses , from simple secure-terminal authentication (just username/password or public key authentication) , secure-copy , tunneling of other insecure protocols up to secure remote desktop . My Linux-Index page has already published articles that describe all variants of uses for SSH .
Here is the following scenario : Only an administrator from the local network (LAN) should have SSH-access to the server . All other users , especially WAN-users , should be restricted to SCP and SFTP logins , but disallowed to SSH logins (e.g. with PuTTY) so that they cannot execute files/programs . Introducing scponly ……
scponly is an alternate shell that restricts users to SCP and SFTP logins and disallows SSH logins . It is a wrapper to the OpenSSH suite of applications . With the help of scponly, you can allow your users to use clients such as WinSCP or FileZilla to upload/download files , but you refuse SSH logins . This article shows how to install scponly on a RedHat-based distribution (CentOs) , though the same concepts apply to other distro’s (Debian-based) . scponly is an extremely simple restricted shell , user account that has scponly binary as its shell won’t be able to do anything except transfer data from remote host via scp , sftp or via rsync/scp . .
An alternative solution to scponly is rssh , it provides little bit more features: you can limit users to use selected protocols like scp , sftp , rsync , cvs or rdist either in chroot environment or not .
My preferred way of installing packages on CentOs is by using yum , Debian-based distro’s have a similar package manager — ie aptitude — . If you prefer the “old-school” way for installing packages then you should download sources and do some ./configure , make and make install . Here are the links: latest rssh .tar.gz , latest scponly .tgz .
For RedHat : yum install rssh yum install scponly For Debian : apt-get install rssh apt-get install scponly
scponly doesn’t need any configuration and works out of the box , the only think that should be done is set it as the defauld shell for each user-account . Here is an examples .
Create new user account with scponly as the default shell :
useradd -s /usr/sbin/scponly userxyz
Or modify an existing user account to set rssh as a shell :
usermod -s /usr/sbin/scponly userxyz
The following screen-shots demonstrate the final result . First Putty is used to log-in from a Windows Box into my local CentOs development server . SSH is used to log-in as administrator , an user is created and scponly set as default shell . When attempt is made to ssh-ing into the newly created user (userxyz123) , an message is displayed .
And now , let’s use WinScp (an GUI interface) to login into the newly created account on the CentOs box
Further improvements :
On production servers , not only SSH-restrictions should be applied on user-accounts but also restrictions to the file-system (visibility) . Although directories could be protected with “chmod” , simple users shouldn’t even have visible access into the system’s file-structure . This can be achieved by restricting user-accounts into a “chrooted” environment . But that is an subject for another article , so stay tuned .