March 1, 2008 · Security · Email This Post

Sponsored Link
scponly is an alternative ‘shell' (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution privileges. Functionally, it is best described as a wrapper to the tried and true ssh suite of applications.

A typical usage of scponly is in creating a semi-public account not unlike the concept of anonymous login for ftp. This allows an administrator to share files in the same way an anon ftp setup would, only employing all the protection that ssh provides. This is especially significant if you consider that ftp authentications traverse public networks in a plain text format.

Install scponly in ubuntu

sudo aptitude install scponly

This will complete the instalaltion.

Configuring scponly

Edit the /etc/shells command to include the scponly shell, which in my testing was installed to /usr/bin. You can simply append /usr/bin/scponly to the end of /etc/shells.

At this point, you should be able to create a user and set the user’s shell to scponly. This will allow the user to use an SCP/SFTP client to transfer files, but it will not allow interactive shell access.

Chroot SFTP

Reconfigure the scponly package so that scponlyc (the chroot version) is activated

sudo dpkg-reconfigure -plow scponly

Answer “Yes”. Now setup the chroot scponly user using the setup_chroot script included to do it. It can’t be an existing user, and don’t create him with adduser. He will be created by the setup_chroot script

cd /usr/share/doc/scponly/setup_chroot
sudo gunzip setup_chroot.sh.gz
sudo chmod +x setup_chroot.sh
sudo ./setup_chroot.sh

To make this simpler, lets accept the default answers (scponly for username and home folder). At the end, create the password of scponly user.

Scponlyc has a “bug” and don’t work out of the box.to fix this bug You have to create /dev/null in scponly chroot home folder. the right way to do this is

sudo -i

cd /home/scponly

mkdir /home/scponly/dev

mknod -m 666 /home/scponly/dev/null c 1 3

exitNow test it from the remote computer

sftp scponly@server

If you login, it worked.

Sponsored Link

Incoming search terms:

Related posts

5 Comments to “scponly – limited shell for secure file transfers”

  1. weakish says:

    rssh is a similar tool. Besides scp and sftp, it can also support rsync and cvs.

    [Reply]

  2. daniel says:

    thank you master !!!

    it works great !!!

    regards from Uruguay

    [Reply]

  3. JTW90210 says:

    On our Hearty install we were getting “no such file or directory” errors in the auth.log until we touched up some of the libraries in the jail (thanks to dmonty:)


    cp -p /lib/libncurses.so.5 lib/
    cp -p /lib/libdl.so.2 lib/
    cp -p /lib/libc.so.6 lib/
    mkdir lib64
    cp -p /lib64/ld-linux-x86-64.so.2 lib64/

    [Reply]

  4. Hello,

    I am currently developing/maintaining a limited shell project: lshell.
    I let’s you restrict user to a specific set of commands, allow or forbid scp, sftp, and some other features.
    I thought you might be interested in trying it.
    You can find the details of this project here: http://ghantoos.org/limited-shell-lshell/

    An debian/ubuntu package is available: .

    Hope this helps,

    Cheers,
    Ignace M -ghantoos-

    [Reply]

  5. bc says:

    I wrestled with this /dev/null bug all day until I found this! Thank you!!!

    [Reply]

Leave a Reply