Easy and Full Steps To Enable scponly on Ubuntu 22.04

By Posted on

Easy and Full Steps To Enable scponly on Ubuntu 22.04

Easy and Full Steps To Enable scponly on Ubuntu 22.04

This tutorial aims to guide you through the process of configuring and enabling scponly on Ubuntu 22.04. Scponly is a restricted shell that confines users to SCP and SFTP operations, effectively disabling SSH logins. This setup allows you to grant users remote access for uploading and downloading files without permitting them to execute arbitrary commands. Follow the steps outlined on the Orcacore website to enable scponly on Ubuntu 22.04.

To proceed with enabling scponly on Ubuntu 22.04, ensure you are logged into your server as a non-root user with sudo privileges. If needed, refer to the initial server setup guide for Ubuntu 22.04.

Now, let’s delve into the steps required to configure and enable scponly on Ubuntu 22.04.

Step 1 – Install Required Packages for scponly on Ubuntu 22.04

First, update your system’s package list:

sudo apt update

To enable scponly on Ubuntu 22.04, you’ll need the following packages:

sudo apt install wget gcc make rsync openssh-client -y

Step 2 – Download the latest scponly

In this step, you will download and install scponly from source. Switch to the /opt directory:

cd /opt

Visit the scponly restricted shell Files and get the latest release using the following wget command:

sudo wget http://sourceforge.net/projects/scponly/files/scponly-snapshots/scponly-20110526.tgz

Extract the downloaded file:

sudo tar -zxvf scponly-20110526.tgz

Proceed to the next step to compile, build, and enable scponly on Ubuntu 22.04.

Step 3 – Compile and Build scponly on Ubuntu 22.04

Change your directory to the scponly directory:

cd /opt/scponly-20110526

Run the configure command to build a make file for scponly:

sudo ./configure --enable-chrooted-binary --enable-winscp-compat --enable-rsync-compat --enable-scp-compat --with-sftp-server=/usr/libexec/openssh/sftp-server

Use the following command to install and enable scponly on Ubuntu 22.04:

# sudo make
# sudo make install

Add the scponly shells to the /etc/shells file:

sudo /bin/su -c "echo "/usr/local/bin/scponly" >> /etc/shells"

Create a scponly group to manage scponly users:

sudo groupadd scponly

Step 4 – Create an Upload Directory on Ubuntu 22.04 for scponly

Create an upload directory for the scponly group, used to control data uploads:

sudo mkdir -p /pub/upload

Set the correct permissions and ownership:

# sudo chown root:scponly /pub/upload
# sudo chmod 770 /pub/upload

Step 5 – Create a scponly User Account on Ubuntu 22.04

Create a user account for scponly. Specify scponly as an alternative group and /usr/local/bin/scponly as the shell:

sudo useradd -m -d /home/<mark>user1</mark> -s "/usr/local/bin/scponly" -c "<mark>user1</mark>" -G scponly <mark>user1</mark>

Set the correct permissions for your user account (scponly users can’t modify SSH parameters):

sudo chmod 500 /home/<mark>user1</mark>

Set a password for your scponly user account:

sudo passwd <mark>user1</mark>
Create a scponly User Account on Ubuntu 22.04

Step 6 – Test scponly User Account Shell Access

Verify that your scponly user doesn’t have access to the terminal.

Log in to your server as the scponly user:

su - <mark>user1</mark>

The terminal should hang, indicating no terminal access. Press CTRL+C to exit.

Step 7 – Download Files with scponly User Account

Test the scponly user’s ability to download files. Create a 100 MB test file:

sudo fallocate -l 100m /home/user1/testfile.img

Set the correct ownership for the test file:

sudo chown user1:user1 /home/user1/testfile.img

Change your directory to the /tmp directory:

cd /tmp

SFTP to your server using the scponly user account:

sftp user1@your_server_ip

Enter your password when prompted. Download the file:

sftp> get testfile.img

Exit the shell:

sftp> quit

Verify the file on your local machine:

ls -l testfile.img

Step 8 – Upload Files with scponly User Account

Test the scponly user’s ability to upload a file.

Create a 100 MB test file:

fallocate -l 100m /home/user1/uploadfile.img

SFTP to your server using the scponly user account:

sftp user1@your_server_ip

Upload the test file to /pub/upload:

sftp> put uploadfile.img /pub/upload/

Verify the file was successfully uploaded:

sftp> ls -ltr /pub/upload
<strong><mark>Output</mark></strong>
-rw-r--r--    1 user1 user1 104857600  uploadfile.img

Exit the sftp shell:

sftp> quit

Conclusion

You have now successfully configured and enabled scponly on Ubuntu 22.04. You’ve also created a test user and verified their ability to download and upload files.

Alternative Solutions for Restricting User Access on Ubuntu 22.04

While scponly provides a specific solution for restricting users to SCP and SFTP access, there are alternative approaches to achieve similar levels of security and control over user activities on Ubuntu 22.04. Here are two such alternatives:

1. Using rssh (Restricted Secure Shell)

rssh is another restricted shell designed for providing limited access to users, primarily focusing on scp and sftp. Unlike scponly, rssh is often easier to configure and manage, particularly for users who are not deeply familiar with the intricacies of shell configurations. It achieves restriction by limiting the available commands that the user can execute.

Explanation:

rssh works by intercepting the user’s attempt to execute commands and validating them against a predefined whitelist. If the command is not permitted, the user is denied execution. This approach provides a balance between security and usability, making it a viable alternative to scponly.

Steps to Implement rssh:

  1. Install rssh:

    sudo apt update
sudo apt install rssh

  2. Configure rssh:

    Edit the /etc/rssh.conf file to specify allowed commands. Common settings include allowing only scp and sftp.

    sudo nano /etc/rssh.conf

    Example configuration:

    allowscp
allowsftp

    You can further restrict options such as disabling port forwarding, etc., according to your needs.

  3. Set rssh as the User’s Shell:

    Modify the user’s shell to /usr/bin/rssh. This can be done with the usermod command:

    sudo usermod -s /usr/bin/rssh <user1>

  4. Add rssh to /etc/shells:

    Make sure that /usr/bin/rssh is listed in the /etc/shells file:

    sudo /bin/su -c "echo "/usr/bin/rssh" >> /etc/shells"

  5. Testing:

    Log in as the user <user1>. Attempts to use standard SSH commands should be denied, while scp and sftp should function as expected.

Code Example:

There isn’t extensive code to provide beyond the configuration file example. The key is the correct setting of the user’s shell and the proper configuration of /etc/rssh.conf.

2. Using SSH Chroot with Limited Shell Access

Another alternative is to combine SSH chroot with a limited shell (like rbash – restricted bash) or a custom-built shell. SSH chroot confines a user to a specific directory, preventing them from accessing the rest of the filesystem. Combining this with a limited shell further restricts their ability to execute commands.

Explanation:

SSH chroot changes the root directory for the user’s session, so / becomes the specified directory. The limited shell restricts the commands that the user can run within this chrooted environment. This method offers a strong level of isolation and control.

Steps to Implement SSH Chroot with Limited Shell:

  1. Create a Chroot Directory:

    Create the directory that will be the user’s root:

    sudo mkdir -p /home/chroot/<user1>
sudo chown root:root /home/chroot/<user1>
sudo chmod 755 /home/chroot/<user1>

  2. Prepare the Chroot Environment:

    Copy essential binaries and libraries into the chroot directory. This is crucial for sftp to function.

    sudo mkdir -p /home/chroot/<user1>/usr/bin
sudo mkdir -p /home/chroot/<user1>/usr/lib
sudo mkdir -p /home/chroot/<user1>/lib
sudo mkdir -p /home/chroot/<user1>/lib64 #for 64 bit
sudo cp /usr/bin/sftp-server /home/chroot/<user1>/usr/bin/
sudo cp /lib/x86_64-linux-gnu/libc.so.6 /home/chroot/<user1>/lib/
sudo cp /lib64/ld-linux-x86-64.so.2 /home/chroot/<user1>/lib64/
sudo cp /usr/lib/x86_64-linux-gnu/libcrypto.so.3 /home/chroot/<user1>/usr/lib/ #example
#find needed library files with ldd /usr/bin/sftp-server and copy them

  3. Set up the Restricted Shell (rbash):

    sudo usermod -s /bin/rbash <user1>

  4. Configure SSH to Chroot the User:

    Edit the /etc/ssh/sshd_config file:

    sudo nano /etc/ssh/sshd_config

    Add the following at the end of the file (or modify existing entries):

    Match User <user1>
   ChrootDirectory /home/chroot/<user1>
   ForceCommand internal-sftp
   PermitTunnel no
   AllowAgentForwarding no
   AllowTcpForwarding no
   X11Forwarding no

    Restart the SSH service:

    sudo systemctl restart sshd

  5. Testing:

    Log in as the user <user1>. The user should be chrooted to /home/chroot/<user1>, and attempts to run commands outside of sftp should be restricted due to the limited shell.

Code Example:

The core of this approach lies in the sshd_config file and the careful creation of the chroot environment. The ForceCommand internal-sftp ensures that only SFTP sessions are allowed.

These alternative solutions offer different trade-offs in terms of complexity and security. The choice depends on the specific requirements and the desired level of control over user access. Each method provides a way to restrict users without relying solely on scponly.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *