"Fossies" - the Fresh Open Source Software Archive

Member "scponly-20110526/scponly.8.alternate_manpage" (13 Jul 2007, 4912 Bytes) of package /linux/privat/old/scponly-20110526.tgz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 .TH scponly 8 "Sept 04, 2002" ""
    2 .SH NAME
    3 \fBscponly\fP
    4 .SH SYNOPSIS
    5 \fBscponly\fP
    6 \- limited shell for secure file transfers
    7 .SH DESCRIPTION
    8 \fBscponly\fP
    9 is an alternative "shell" (of sorts) for system administrators who would like
   10 to provide access to remote users to both read and write local files without
   11 providing any remote execution privileges.  Functionally, it is best described
   12 as a wrapper to the trusted suite of ssh applications.
   13 
   14 A typical usage of
   15 \fBscponly\fP
   16 is in creating a semi-public account not unlike the concept of anonymous login
   17 for ftp.  This allows an administrator to share files in the same way an
   18 anonymous ftp setup would, only employing all the protection that ssh provides.
   19 This is especially significant if you consider that ftp authentications
   20 traverse public networks in a plaintext format.
   21 
   22 Instead of just a single anonymous user,
   23 \fBscponly\fP
   24 supports configuring potentially many users, each of which could be set
   25 up to provide access to distinct directory trees.  Aside from the installation
   26 details, each of these users would have their default shell in /etc/passwd set
   27 to "/usr/local/bin/scponly" (or wherever you choose to install it).  This
   28 would mean users with this shell can neither login interactively or execute
   29 commands remotely.  They can however, scp files in and out, governed by the
   30 usual Unixish file permissions.
   31 .SH FEATURES
   32 .IP \(bu
   33 Logging:
   34 \fBscponly\fP
   35 logs time, client IP address, username, and the actual request to syslog.
   36 .IP \(bu
   37 chroot:
   38 \fBscponly\fP
   39 can chroot to the user's home directory (or any other directory the user has
   40 permissions for), disallowing access to the rest of the filesystem.
   41 .IP \(bu
   42 sftp compatibility: 
   43 \fBscponly\fP
   44 is fully compatible with sftp.
   45 .IP \(bu
   46 Security checks:  root login is disallowed, seteuid after chroot.
   47 .IP \(bu
   48 WinSCP compatibility:
   49 \fBscponly\fP
   50 can be compiled in WinSCP compatibility mode that will permit a
   51 "semi-interactive" shell that WinSCP can use.
   52 .IP \(bu
   53 gftp compatibility.
   54 \fBscponly\fP is also fully compatible with gFTP in sftp mode.
   55 
   56 \fBscponly\fP
   57 doesn't do anything to manage read/write permissions.  The ssh applications
   58 already do that just fine.  If you use
   59 \fB,\fP
   60 be aware that good old Unix-style file permissions are still doing the work of
   61 protecting your files.
   62 .SH NOTES
   63 .IP \(bu
   64 As recent as June 26, 2002, vulnerabilities have been
   65 discovered in OpenSSH.  There is also a SSH1 protocol vulnerability.  If 
   66 you're going to use
   67 \fB,\fP
   68 , be aware it is no more secure than the ssh installation it runs on.
   69 .IP \(bu
   70 I've since discovered that ssh.com's commercial ssh offering supports BOTH
   71 "dummy users" as well as functionality paralleling
   72 \fB.\fP
   73 I have not been able to find any notes on these features, but I did read that
   74 they exist.  I will make a point to include more information later.  It appears
   75 that OpenSSH does not yet support these features.  At this time, I have no
   76 plans to end-of-life
   77 \fB,\fP
   78 though ultimately, I recognize that
   79 \fB,\fP
   80 should eventually become just a feature of whichever sshd you may run.
   81 .SH FILES
   82 .TP
   83 .B /usr/local/bin/scponly
   84 The default location for the shell itself.
   85 .TP
   86 .B /usr/local/sbin/scponlyc
   87 The default location for the chrooted version.
   88 .TP
   89 .B /etc/shells
   90 To be a proper shell, it has to be included here.
   91 .SH SEE ALSO
   92 \fBchroot\fP(2),
   93 \fBssh\fP(1),
   94 \fBscp\fP(1),
   95 \fBsftp\fP(1),
   96 \fBshells\fP(5),
   97 \fBsshd\fP(8).
   98 .SH AUTHORS
   99 An Joe Boyle Aq joe@sublimation.org .
  100 .SH LEGALITIES
  101 Copyright (C) 2001, 2002, 2003
  102 An Joe Boyle Aq joe@sublimation.org .
  103 
  104 Redistribution and use in source and binary forms, with or without
  105 modification, are permitted provided that the following conditions are met:
  106 
  107 1. Redistributions of source code must retain the above copyright notice, this
  108 list of conditions and the following disclaimer.
  109 
  110 2. Redistributions in binary form must reproduce the above copyright notice,
  111 this list of conditions and the following disclaimer in the documentation
  112 and/or other materials provided with the distribution.
  113 
  114 THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
  115 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
  116 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO
  117 EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  118 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
  119 OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  120 INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  121 CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  122 IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
  123 OF SUCH DAMAGE.
  124 .SH BUGS
  125 Versions prior to 2.4 were susceptible to shell circumvention via the 
  126 $HOME/.ssh/environment file which allowed perversion of LD_LIBRARY_PATH and PATH
  127 environment variables.