# Block scp



## WGhetto (Feb 18, 2012)

Hi, *I*'m new on this forum but *I* need a little help with FreeBSD. How do *I* block SCP from SSHD or allow only SH login?


----------



## SirDice (Feb 18, 2012)

You can't block scp(1) if you allow ssh(1) access. Even if you could block the command someone could still do [cmd=]cat somefile.txt | ssh me@some.machine[/cmd].

What exactly are you trying to stop from happening?


----------



## WGhetto (Feb 18, 2012)

I want to let the user log in only with PuTTY (sh) protocol and do not log in with WinSCP SCP protocol.


----------



## graudeejs (Feb 18, 2012)

SirDice said:
			
		

> You can't block scp(1) if you allow ssh(1) access. Even if you could block the command someone could still do [cmd=]cat somefile.txt | ssh me@some.machine[/cmd].
> 
> What exactly are you trying to stop from happening?



I suppose it would be possible, but that would require one to write custom, pretty limited shell.

Similar to shells/scponly


----------



## WGhetto (Feb 18, 2012)

Or if *I* can block that user to see only his folder for example to see only /usr/home/test and to can't go to /usr/home.


----------



## WGhetto (Feb 18, 2012)

I solved this problem. I just deleted scp from /usr/bin


----------



## DutchDaemon (Feb 18, 2012)

It'll be back after the next OS upgrade.


----------



## Beeblebrox (Feb 18, 2012)

@ Dutch - It should be:
*I*'ll be back (Arnold exits)
after the next OS upgrade,
or buildworld, installworld
and things are back to normal.
[/haiku]


----------



## estrabd (Feb 18, 2012)

Can't you just restrict batch (as opposed to interactive) access?  OTH, there's always netcat.


----------



## SirDice (Feb 20, 2012)

WGhetto said:
			
		

> I solved this problem. I just deleted scp from /usr/bin



People can still copy files off of your machine using cat(1).

[cmd=]ssh user@your.machine cat /etc/passwd | cat > copy_passwd.txt[/cmd]


----------



## graudeejs (Feb 20, 2012)

right, you are right


----------



## WGhetto (Feb 21, 2012)

Yes, but not everyone knows FreeBSD


----------



## UNIXgod (Feb 21, 2012)

WGhetto said:
			
		

> Yes, but not everyone knows FreeBSD



Yes but many people know ssh.


----------



## SirDice (Feb 22, 2012)

WGhetto said:
			
		

> Yes, but not everyone knows FreeBSD



It has nothing to do with FreeBSD. This is basic ssh(1) and UNIX stuff. Anybody could come up with a solution like that.

NB. Don't go removing cat(1). I'm sure I can find other ways and removing cat(1) will most likely break your system.

So, I'll repeat the question. What are you trying to prevent from happening?


----------



## fluca1978 (Feb 22, 2012)

WGhetto said:
			
		

> Or if *I* can block that user to see only his folder for example to see only /usr/home/test and to can't go to /usr/home.



See or modify? The latter can be obtained with permissions, the former does not make sense to me (a user can always see who is accounted to the system and which home it has).
What is your exact aim? Avoid a user to fill remotely an arbitrary directory on the system (could be fixed with proper permissions)? Avoid a user to download other files out of the system? Or what?


----------



## kpa (Feb 22, 2012)

Google for "ssh chroot freebsd".


----------

