[Gllug] Non-interactive sftp
Bruce Richardson
itsbruce at uklinux.net
Mon Oct 10 14:43:15 UTC 2005
On Mon, Oct 10, 2005 at 01:08:55PM +0100, Steve wrote:
> Hi Chums,
>
> I'm trying to allow sftp using key-based authentication so that some
> critical files can be transferred securely via cron. I don't want to
> allow the ftp user
> an interactive shell.
>
> I've set up key-based authentication, and verified this works with
> ssh/scp and an interactive shell. I then then set the ftp user's
> login shell to /bin/true.
> /bin/true is in /etc/shells, all directories in the
> /path/to/ftp/user are chmod'd a+x but when I try to sftp a test file,
> the client debug output says: coul
> dn't canonicalise - permission denied - after accepting keys and
> calling the sftp subsystem; What have I missed?
You can't do this the way you're trying to do it. SFTP does require the
user to have a shell that can pass commands to the sftp-server binary.
What you need is a special shell that can spot when it is being used for
sftp and pass on the commands but exit with an error in any other
context. rssh is one such.
The canonicalise error, however, may also indicate that you have
permissions problems somewhere. What happens if the user has a standard
shell?
--
Bruce
I see a mouse. Where? There, on the stair. And its clumsy wooden
footwear makes it easy to trap and kill. -- Harry Hill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20051010/5dfcfee5/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list