Scponly is an alternative shell for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution privileges. Functionally, it is best described as a wrapper to the tried and true ssh suite of applications. Scponly is a secure alternative to anonymous FTP. It gives the administrator the ability to setup a secure user account with restricted remote file access and without access to an interactive shell.
A typical usage of scponly is in creating a semi-public account. This allows an administrator to share files in the same way an anon ftp setup would, only employing all the protection that ssh provides. This is especially significant if you consider that ftp authentications traverse public networks in a plain text format.
Before starting this tutorial, there are some prerequisites such:
- You need a fresh CentOS 6 or 7 Droplet.
- And you need also to run all commands as a non-root user.
Install and Configure Scponly
There are 5 required packages to be installed in order to build the scponly from source, those packages are the following:
- Wget: to download files
- man: to read man pages
- rsync: to provide advanced file copying
- gcc: to compile scponly from source
- openssh-client-tools: to use various ssh tools
To install those packages we will use the following command:
sudo yum install wget man rsync gcc openssh-clients -y
Now we will download the latest version of Scponly using the following instructions. We will start by moving to /opt directory using the following command, which is an used for optional software:
And we will use the following command to install the latest version of Scponly:
sudo wget http://sourceforge.net/projects/scponly/files/scponly-snapshots/scponly-20110526.tgz
And to extract the file we will use the following command:
sudo tar -zxvf scponly-20110526.tgz
Now after downloading and extracting the file, we will start the building of scponly using 3 main commands: configure, make and make install.
We will move to the directory where there is the source code of scponly using the following command:
Then we will use the first command “configure” to build a makefile with our selected features.
We choose the following options:
--enable-chrooted-binary:Installs chrooted binary
--enable-winscp-compat:Enables compatibility with WinSCP, a Windows scp/sftp client
--enable-rsync-compat:Enable compatibility with rsync, a very versatile file copying utility
--enable-scp-compat:Enables compatibility with the UNIX style scp commands
As it is written in the following command:
sudo ./configure --enable-chrooted-binary --enable-winscp-compat --enable-rsync-compat --enable-scp-compat --with-sftp-server=/usr/libexec/openssh/sftp-server
Now we will use the second command “make” to build the selected options into the binaries that will be installed and runned in your system.
And we will install the binaries using the following command:
sudo make install
And we will add the scponly shells to the /etc/shells file using the following command:
sudo /bin/su -c "echo "/usr/local/bin/scponly" >> /etc/shells"
Now we have added a new shell to the system called scponly and we have located the binary at the /usr/local/bin/scponly directory.
After that we will create our group called scponly using the following command:
sudo groupadd scponly
In this section we will create a centralized upload directory for the scponly group. This allows you control over where and how much data can be uploaded to the server.
Create a directory named
/pub/upload this will be a directory dedicated to uploads:
sudo mkdir -p /pub/upload
Change the group ownership of the
/pub/upload directory to
sudo chown root:scponly /pub/upload
The next step is setting up permissions on the
/pub/upload directory. By setting the permissions on this directory to 770 we are giving access to only the root users and members of the scponly group.
Change permissions on the
/pub/upload directory to read, write, and execute for the owner and group and remove all permissions for others:
sudo chmod 770 /pub/upload
To check our scponly configuration, we will setup a new user account. So we will start by creating an user called Waf_User and mention scponly as an alternative group and
/usr/local/bin/scponly as the shell using the following command:
sudo useradd -m -d /home/Waf_User -s "/usr/local/bin/scponly" -c "Waf_User" -G scponly Waf_User
Now we will edit the permissions on the Waf_User home directory using the following command:
sudo chmod 500 /home/Waf_User
And we will finish this step by adding a password to our created user using the following command:
sudo passwd Waf_User
In this step, we will check if our scponly shell works remotely. We will start by checking if our created user has’nt access to the terminal. To do we will try to log into the server as a Waf_User using the following command:
su - Waf_User
If you haven’t access press the ctrl+c to exit the scponly shell. And you can also check the access from your local machine using the following command:
ssh [email protected]your_IP
You will see that you haven’t access, so again press the ctrl+c to exit the scponly shell.
Now we will check that with our created user we can download files. We will start by creating a 100 Mbytes file using the following command:
sudo fallocate -l 100m /home/Waf_User/Waf_file.img
Now we will change the ownership of the Waf_file.img to the Waf_User using the following command:
sudo chown Waf_User:Waf_User /home/Waf_User/Waf_file.img
Then move to the tmp directory using the following command:
Then we will use the following command to move to our server:
sftp [email protected]your_IP
Then use the following commands to download file:
ls -l get Waf_file.img
After finishing the download use the quit command to exit:
Check that the file was downloaded successfully before returning to your local machine.
ls -l Waf_file.img
Now we will check that the Waf_User can download files to the server using the sftp command.
As the previous step, create a 100 megabyte file called Waf_upload
.img using the following command:
fallocate -l 100m /home/Waf_User/Waf_upload.img
Then from your local system connect to your server using the following command:
sftp [email protected]your_IP
Then upload the file using the following command:
put Waf_upload.img /pub/upload/
Check that the file was successfully uploaded using the following command:
ls -ltr /pub/upload
You will get something like this:
-rw-r--r-- 1 Waf_User Waf_User 104857600 Juil 27 08:58 Waf_upload.img
And finally use the quit command to exit:
Now, you have a scponly installed and configured in your system. This tool is a limited shell for allowing users scp/sftp access and only scp/sftp access to your box. Additionally, you can setup scponly to chroot the user into a particular directory increasing the level of security.
Source and Reference links: