The scponly pseudo-shell provides a file-transfer only shell for *Nix systems with optional support for using a chrooted environment.
Shell C
Permalink
Failed to load latest commit information.
build_extras added ralf's changes Dec 31, 2003
.gitignore Add .gitignore Oct 11, 2011
AUTHOR scponly-3.0 Mar 7, 2003
BUILDING-JAILS.TXT added some notes Dec 20, 2005
CHANGELOG Update changelog to reflect change d8ca582.. Dec 13, 2011
CONTRIB Update usage comment. Dec 8, 2010
COPYING long overdue update of copyright date Nov 14, 2003
INSTALL more chroot notes Dec 20, 2005
Makefile.in Revert a change in the template makefile. Dec 8, 2010
README added fix for safeenv vector discard Dec 22, 2005
SECURITY Update the SECURITY document to include references to /etc/popt and ~… Mar 10, 2009
TODO Add TODO note about getopt being required. Jun 16, 2008
aclocal.m4 scponly-3.0 Mar 7, 2003
config.guess scponly v3.10 - 21 mar 2004, Mar 22, 2004
config.h.in Remove sftp logging patch compatibility. Nov 20, 2010
config.sub scponly v3.10 - 21 mar 2004, Mar 22, 2004
configure Remove sftp logging patch compatibility. Nov 20, 2010
configure.in Remove sftp logging patch compatibility. Nov 20, 2010
groups.c Fix most warnings that show up with -Wall in gcc Aug 10, 2007
helper.c When getopt_long is not available, use the bundled netbsd version. Nov 20, 2010
install-sh scponly-3.0 Mar 7, 2003
netbsd_getopt_long.c Remove sftp logging patch compatibility. Nov 20, 2010
scponly.8 Slight documentation fix Jul 13, 2007
scponly.8.alternate_manpage Slight documentation fix Jul 13, 2007
scponly.c Allow -m option to sftp-server for AIX. Dec 13, 2011
scponly.h Remove inline to satisify AIX compiler. Nov 20, 2010
scponly_getopt.h Add scponly_getopt.h May 27, 2011
setup_chroot.sh.in numerous fixes for scponly 4.4 Jan 30, 2006

README

3debe8e4f1c654a658b48dfdc5c2cf9d
http://sublimation.org/scponly

"scponly" is an alternative 'shell' (of sorts) for system
administrators who would like to provide access to remote users to
both read and write local files without providing any remote
execution privileges.  Functionally, it is best described as a
wrapper to the mostly trusted suite of ssh applications.

A typical usage of scponly is in creating a semi-public account not
unlike the concept of anonymous login for ftp.  This allows an
administrator to share files in the same way an anon ftp setup
would, only employing all the protection that ssh provides.  This is
especially significant if you consider that ftp authentications
traverse public networks in a plaintext format.

Instead of just a single anon user, scponly supports configuring
potentially many users, each of which could be set up to provide
access to distinct directory trees.  Aside from the installation details
(see INSTALL), each of these users would have their default shell in
/etc/passwd set to "/usr/local/sbin/scponly" (or wherever you choose
to install it).  This would mean users with this shell can neither
login interactively nor execute commands remotely.  They can however,
scp files in and out, governed by the usual unix file permissions.

Some Features:
==============

- logging:  scponly logs time, client IP address, username, and the 
actual request to syslog.

- choot: scponly can chroot to the user's home directory (or any 
other directory the user has permissions for), disallowing access 
to the rest of the filesystem.  

- sftp compatibility.  my testing of sftp against an scponly user 
worked great.  this is probably the cleanest and most usable way 
for an scponly user to access files.

- sftp logging: if the ./configure directive 
"--enable-sftp-logging-compat" is used, scponly will support sftp 
logging

- WinSCP 2.0/3.0 compatibility.

- gftp compatibility

- rsync compatibility

- security checks: root login is disallowed (though root
should never be configured to be using scponly as the default shell.)
scponly also checks the ownership of directories before chroot-ing
into them.

How it works: 
============= 
If you were to examine the arguments passed to a shell by sshd upon
opening a remote connection, the structure of the argument vector
invariably looks like this:

<shell name> -c <remote command>

scponly validates remote requests by examining the third argument.  
scponly also verifies the request by disallowing what a normal
shell would interpret as "special characters".  This prevents
someone from piggybacking additional commands onto a valid scp
request.  It may seem that using scponly would prevent using scp to
copy files that really do contain special characters.  However,
copying files with special characters in their names can be
accomplished by using wildcards (which are allowable characters) to
match the filenames.

scponly doesnt do anything to manage read/write permissions.  The
ssh applications already do that just fine.  If you use scponly, be
aware that good old unix file permissions are still doing the work
of protecting your files.


MAY 2002 ADDENDUM:
	I've since discovered that ssh.com's commercial ssh offering 
supports BOTH "dummy users" as well as scponly-ish functionality.  I
have not been able to find any notes on these features, but I did read
that they exist.  I will make a point to include more information later.
It appears that OpenSSH does not yet support these features.  At this time,
I have no plans to end-of-life scponly, though ultimately, I recognize
that scponly should eventually become just a feature of whichever sshd 
you may run.

NOV 2003 ADDENDUM:
	OpenSSH still doesnt support configurable chrooting for users OR
disallowing interactive login.  

NOV 2004 ADDENDUM:
	OpenSSH still doesnt support configurable chrooting for users OR
disallowing interactive login.  

DEC 2005 ADDENDUM:
	OpenSSH still doesnt support configurable chrooting for users OR
disallowing interactive login.