...making Linux just a little more fun!
Michael Pearl [Michael.Pearl at semcoenergy.com]
Tue, 26 Sep 2006 16:27:16 -0400
I recently read a tip you submitted to linuxgazette.net back in December of 2003:
http://linuxgazette.net/100/lg_tips.html#tips.14
I'm using scponly for one of my users and recently he asked for the public key to bypass password prompt. Did you create the user as normal and then add them to scponly? Or did you add them using scponly's script (setup_chroot.sh) first?
- Michael Pearl - SEMCO Information Technology, Inc.
Benjamin A. Okopnik [ben at linuxgazette.net]
Sun, 1 Oct 2006 12:37:12 -0400
----- Forwarded message from Michael Pearl <Michael.Pearl at semcoenergy.com> -----
Date: Sun, 01 Oct 2006 11:27:24 -0400 From: Michael Pearl <Michael.Pearl@semcoenergy.com> To: TAG <tag@lists.linuxgazette.net> To: "Benjamin A. Okopnik" <ben at linuxgazette.net> Subject: Re: [TAG] [LG 100] 2c Tips #14Thanks for the response Ben,
I was able to accomplish what I needed by manually creating the .ssh dir in the users home.
My problem was that I couldn't figure out where the .ssh dir existed for an SCPONLY user. When I created the SCPONLY user using the supplied script, it didn't create a .ssh in their home. I'm still not sure where the ssh keys for an SCPONLY user are held.
After I added the .ssh dir their home and added their pub key to the authorized_keys file, problem solved.
I really like SCPONLY, but wish their documentation was a bit more complete. Maybe I'll summarize what I learned and put it out on the web....
>>> "Benjamin A. Okopnik" <ben at linuxgazette.net> 9/30/2006 6:10 PM >>>Hi, Michael -
On Tue, Sep 26, 2006 at 04:27:16PM -0400, Michael Pearl wrote:
> I recently read a tip you submitted to linuxgazette.net back inDecember
> of 2003: > > http://linuxgazette.net/100/lg_tips.html#tips.14 > > > I'm using scponly for one of my users and recently he asked for the > public key to bypass password prompt. Did you create the user asnormal
> and then add them to scponly? Or did you add them using scponly'sscript
> (setup_chroot.sh) first?
I just re-read Carol's original tip, and I'm not really clear on what
you're asking here (perhaps this is the reason for the general silence
in response. 
Are you saying that your user wants you to add his
public key to his '~/.ssh/authorized_keys' so he can use 'scp' without
having to enter a password? This is usually a reasonable thing to do;
in
fact, many sites use only pubkey-based authentication and disable
password-based access.
It's been a few years since I last used 'scponly', but I've just refreshed my memory by re-reading the docs. If I've forgotten something, I hope that someone here - or perhaps Carol - will correct me.
Building a chroot jail, or a group of them for multiple users, is in general not a bad idea - although you need to decide whether your situation warrants doing this, since it involves a bit of work. On the other hand, the author of 'scponly' (Joe Boyle) has done a great job of automating this often-complex process via a well-written shell script. In any case, the answer to the question that I see implied in what you've asked ("where do I put this public key if I do/don't have a chroot jail configured?") is "whatever your top-level '/etc/passwd' has as the user's home directory plus '/.ssh/authorized_keys'". That is, if '/etc/passwd' for the user in question says
foobar:x:1000:1001:Foobar Q. Zotz:/home/foobar:/usr/bin/scponlythen the key goes into '/home/foobar/.ssh/authorized_keys'. If, however, you've done the 'chroot' installation, then your '/etc/passwd' will look more like this:
foobar:x:1000:1001:Foobar Q. Zotz:/ALTROOT//home/foobar:/sbin/scponlycwhere ALTROOT is the path to the top of your chroot tree. Note the '//', above: 'scponlyc' uses those to determine the chroot point. In this case, the key would be copied into '/ALTROOT//home/foobar/.ssh/authorized_keys'.
In this latter case, by the way, do take note of the strongly-worded warning in the 'scponly' documentation:
Unless you are !absolutely! sure of your sshd configuration, the users home directory should be empty and owned by root and not writeable by the user.This is a very good idea, and is part of the critical path to a secure chroot jail.
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
- Michael Pearl - SEMCO Information Technology, Inc.
BEGIN:VCARD VERSION:2.1 X-GWTYPE:USER FN:Michael Pearl TEL;WORK:(810) 887-5855 ORG:;SEMCO IT TEL;PREF;FAX:(810) 388-5813 EMAIL;WORK;PREF;NGW:Michael.Pearl at semcoenergy.com N:Pearl;Michael TITLE:Systems Analyst (Lan/Wan) ADR;DOM;WORK;PARCEL;POSTAL:;Marysville Data Center;975 Michigan Ave.;Marysville;Michigan;48040 LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Michael Pearl=0A= Marysville Data Center=0A= 975 Michigan Ave.=0A= Marysville, Michigan 48040 TEL;CELL:(810) 531-4586 TEL;PAGER:(810) 340-3483 END:VCARD
----- End forwarded message -----
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Benjamin A. Okopnik [ben at linuxgazette.net]
Sun, 1 Oct 2006 12:54:18 -0400
Hi, Michael -
Please CC all further messages in this discussion to The Answer Gang; thanks.
On Sun, Oct 01, 2006 at 12:37:12PM -0400, Michael Pearl <Michael.Pearl at semcoenergy.com> wrote:
> > Thanks for the response Ben, > > I was able to accomplish what I needed by manually creating the .ssh > dir in the users home. > > My problem was that I couldn't figure out where the .ssh dir existed > for an SCPONLY user. When I created the SCPONLY user using the supplied > script, it didn't create a .ssh in their home.
As far as I know, no application does that; you have to create it yourself, just as you mention doing.
> I'm still not sure where the ssh keys for an SCPONLY user are held.In their '~/.ssh/authorized_keys' - exactly as I described.
> After I added the .ssh dir their home and added their pub key to the > authorized_keys file, problem solved. > > I really like SCPONLY, but wish their documentation was a bit more > complete. Maybe I'll summarize what I learned and put it out on the > web....
Or you could always write an article for us. That's a way to get it out on the Web and instantly publicized. If you're interested, take a look at our Author Guide: 'http://linuxgazette.net/faq/author.html'.
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *