• NAME
• USAGE
• LOGGING
• CONFIGURATION
• VERSION
• AUTHOR
• COPYRIGHT

NAME

scpjail - forces a restricted scp-only account within a jailed directory.

USAGE

Create the user account in the normal way, with a real shell, and a real home directory. Do NOT set a password for the account (i.e., have a ``*'' or ``!'' in /etc/security/user | /etc/shadow | whatever.)
Set the permissions on the user's home directory so that the user DOES NOT have write access. If other users on the system will need read or write access to content in the jailed user's home, that is fine, but it is critical that the jailed user does not have write access.

  # chmod 500 /home/luser ; ls -ld /home/luser
  dr-x------   4 luser  staff        512 May 09 21:41 /home/luser

Confirm that any files directly in the user's home directory are NOT writable by the user account. This includes any shell startup files. In fact, there is no reason to have any shell startup files, so if it is easier to just delete .login or .profile, go for it.
Create the .ssh directory in the user's home directory. This directory MUST be owned by the user account, and MUST be chmod'ed 500 (so that it is not writable by anyone, and is readable/executable only for the user.)

  # mkdir /home/luser/.ssh ; chmod 500 /home/luser/.ssh
  # ls -ld /home/luser/.ssh
  dr-x------   2 luser  system   512 May 07 19:50 /home/luser/.ssh

In that .ssh directory, place the user's public half of their keypair into the file ``authorized_keys''. THIS IS IMPORTANT: insert, on the same line as the key, before the key, the text: command=``/path/to/scpjail''. This is important, because it restricts any use of this key to the execution of this scpjail script, no matter what the user tries to do.

It is also important to again make sure that the authorized_keys file is NOT writable by the user account (or anyone.)

  # chmod 400 /home/luser/.ssh/authorized_keys
  # ls -ld /home/luser/.ssh/authorized_keys
  -r--------   1 luser  system  1291 May 09 21:41 /home/luser/.ssh/authorized_keys
  
  # cat /home/luser/.ssh/authorized_keys
  command="/usr/local/sbin/scpjail" ssh-dss AAAAB3NMAAACBAIIPIu9j2
  ... blah blah blah ...
  LQwxMc7k6xoIE1qFBWWXjMZeQ== luser@foobar

Finally, create the ``jail'' directory, inside the home directory of the user. By default, the name of this directory is ``JAIL'', but this can be changed by modifying the scpjail script. The user must be able to write to this directory (in fact, it should be the only place that the user can write to.)

  # mkdir /home/luser/JAIL ; chmod 740 /home/luser/JAIL
  # ls -ld /home/luser/JAIL
  drwxr-----   2 luser  system   512 May 09 22:04 /home/luser/JAIL

And that is it!

LOGGING

scpjail will write a message to syslog at facility ``auth'', priority ``notice'' each time it is used sucessfully:

   May  9 22:04:49 whippet scpjail[43364]: executing 
   /usr/local/bin/scp -t /home/luser/JAIL for user luser

scpjail also logs messages at priority ``info'' at numerous places in the script where the attempted connection might fail for various reasons:

   May  9 21:48:09 whippet scpjail[31482]: environment variable 
   SSH_ORIGINAL_COMMAND undefined, dying now.

CONFIGURATION

There are three configurable items, all set by modifying the scpjail script:

$scp contains the full path and name of the scp program on the server. By default, it is defined as ``/usr/local/bin/scp''.

$jail contains the name of the directory within the user's home that the user will be jailed into. By default, it is defined as ``JAIL''.

$logfac contains the facility at which scpjail will send syslog messages. By default, it is defined as ``auth''.

VERSION

  $Revision: 1.9 $

AUTHOR

  Sandor W. Sklar
  Stanford University ITSS
  
  ssklar@stanford.edu
  http://www.stanford.edu/~ssklar/scpjail/

COPYRIGHT

This program is free software; you may redistribute it and/or modify it under the same terms as Perl itself.