Install And Configure Scponly In CentOS

Introduction

Scponly is an alternative shell for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution privileges. Functionally, it is best described as a wrapper to the tried and true ssh suite of applications. Scponly is a secure alternative to anonymous FTP. It gives the administrator the ability to setup a secure user account with restricted remote file access and without access to an interactive shell.

A typical usage of scponly is in creating a semi-public account. This allows an administrator to share files in the same way an anon ftp setup would, only employing all the protection that ssh provides. This is especially significant if you consider that ftp authentications traverse public networks in a plain text format.

Prerequisites

Before starting this tutorial, there are some prerequisites such:

  • You need a fresh CentOS 6 or 7 Droplet.
  • And you need also to run all commands as a non-root user.

Install and Configure Scponly

Step 1:

There are 5 required packages to be installed in order to build the scponly from source, those packages are the following:

  • Wget: to download files
  • man: to read man pages
  • rsync: to provide advanced file copying
  • gcc: to compile scponly from source
  • openssh-client-tools: to use various ssh tools

To install those packages we will use the following command:

sudo yum install wget man rsync gcc openssh-clients -y

Step 2:

Now we will download the latest version of Scponly using the following instructions. We will start by moving to /opt directory using the following command, which is an used for optional software:

cd /opt

And we will use the following command to install the latest version of Scponly:

sudo wget http://sourceforge.net/projects/scponly/files/scponly-snapshots/scponly-20110526.tgz

And to extract the file we will use the following command:

sudo tar -zxvf scponly-20110526.tgz

Step 3:

Now after downloading and extracting the file, we will start the building of scponly using 3 main commands: configure, make and make install.

We will move to the directory where there is the source code of scponly using the following command:

cd /opt/scponly-20110526

Then we will use the first command “configure” to build a makefile with our selected features.

We choose the following options:

  • --enable-chrooted-binary: Installs chrooted binary scponlyc
  • --enable-winscp-compat: Enables compatibility with WinSCP, a Windows scp/sftp client
  • --enable-rsync-compat: Enable compatibility with rsync, a very versatile file copying utility
  • --enable-scp-compat: Enables compatibility with the UNIX style scp commands

As it is written in the following command:

sudo ./configure --enable-chrooted-binary --enable-winscp-compat --enable-rsync-compat --enable-scp-compat --with-sftp-server=/usr/libexec/openssh/sftp-server

Now we will use the second command “make” to build the selected options into the binaries that will be installed and runned in your system.

sudo make

And we will install the binaries using the following command:

sudo make install

And we will add the scponly shells to the /etc/shells file using the following command:

sudo /bin/su -c "echo "/usr/local/bin/scponly" >> /etc/shells"

Now we have added a new shell to the system called scponly and we have located the binary at the /usr/local/bin/scponly directory.

After that we will create our group called scponly using the following command:

sudo groupadd scponly

Step 4:

In this section we will create a centralized upload directory for the scponly group. This allows you control over where and how much data can be uploaded to the server.

Create a directory named /pub/upload this will be a directory dedicated to uploads:

sudo mkdir -p /pub/upload

Change the group ownership of the /pub/upload directory to scponly:

sudo chown root:scponly /pub/upload

The next step is setting up permissions on the /pub/upload directory. By setting the permissions on this directory to 770 we are giving access to only the root users and members of the scponly group.

Change permissions on the /pub/upload directory to read, write, and execute for the owner and group and remove all permissions for others:

sudo chmod 770 /pub/upload

Step 5:

To check our scponly configuration, we will setup a new user account. So we will start by creating an user called Waf_User and mention scponly as an alternative group and /usr/local/bin/scponly as the shell using the following command:

sudo useradd -m -d /home/Waf_User -s "/usr/local/bin/scponly" -c "Waf_User" -G scponly Waf_User

Now we will edit the permissions on the Waf_User home directory using the following command:

sudo chmod 500 /home/Waf_User

And we will finish this step by adding a password to our created user using the following command:

sudo passwd Waf_User

Step 6:

In this step, we will check if our scponly shell works remotely. We will start by checking if our created user has’nt access to the terminal. To do we will try to log into the server as a Waf_User using the following command:

su - Waf_User

If you haven’t access press the ctrl+c to exit the scponly shell. And you can also check the access from your local machine using the following command:

ssh [email protected]your_IP

You will see that you haven’t access, so again press the ctrl+c to exit the scponly shell.

Step 7:

Now we will check that with our created user we can download files. We will start by creating a 100 Mbytes file using the following command:

sudo fallocate -l 100m /home/Waf_User/Waf_file.img

Now we will change the ownership of the Waf_file.img to the Waf_User using the following command:

sudo chown Waf_User:Waf_User /home/Waf_User/Waf_file.img

Then move to the tmp directory using the following command:

cd /tmp

Then we will use the following command to move to our server:

sftp [email protected]your_IP

Then use the following commands to download file:

ls -l
get Waf_file.img

After finishing the download use the quit command to exit:

quit

Check that the file was downloaded successfully before returning to your local machine.

ls -l Waf_file.img

Step 8:

Now we will check that the Waf_User can download files to the server using the sftp command.

As the previous step, create a 100 megabyte file called Waf_upload.img using the following command:

fallocate -l 100m /home/Waf_User/Waf_upload.img

Then from your local system connect to your server using the following command:

sftp [email protected]your_IP

Then upload the file using the following command:

put Waf_upload.img /pub/upload/

Check that the file was successfully uploaded using the following command:

ls -ltr /pub/upload

You will get something like this:

-rw-r--r--    1 Waf_User Waf_User 104857600 Juil  27 08:58 Waf_upload.img

And finally use the quit command to exit:

quit

Conclusion

Now, you have a scponly installed and configured in your system. This tool is a limited shell for allowing users scp/sftp access and only scp/sftp access to your box. Additionally, you can setup scponly to chroot the user into a particular directory increasing the level of security.

Source and Reference links: