With scponly limit can only copy files, not login (Mac version)

Purpose: Restrict the user in a specific directory (can not see the parent or root directory) can only execute SCP or SFTP copy special directory files can not SSH login, other commands can not execute mechanism: SSH login successful, scponly will take over the shell, and chroot to the special directory, so that users " Think that "This directory is the root directory it will only respond to SFTP and SCP commands only affect the configuration of the shell for Scponly users, other users are not affected by the Mac installation: Linux under installation scponly very simple, not to say, particularly the Mac

Google a little scponly, download the decompression after compiling the installation:

./configure--enable-chrooted-binary--enable-rsync-compat--enable-scp-compat--enable-sftp-logging-compat-- With-sftp-server=/usr/libexec/sftp-servermake Clean allsudo make install:/usr/local/sbin/scponlyc with Workgroup The manager establishes the download user, for example DNLD, and configures its login shell to the above path because the commands executed after chroot are rooted in the user directory/users/dnld. So the SCP and sftp-server two executables and trust libraries used by Scponly are copied to them. Log in as root and CD to/USERS/DNLD, execute the following script to do this: Perl/printlib.pl/usr/bin/scpperl./printlib.pl/usr/libexec/ Sftp-server I write the script source, automatically search the trust relationship, and in the current directory to establish the directory structure: #!/bin/perl
%result= ();
$result {$ARGV [0]}=1;


Sub addlib{
@a = ' otool-l \ ' $_[0]\ ';
#print @a;
For $i (@a) {
if ($i =~/\s* ([a-z| a-z|\.| 0-9|\/|\+|\-]*) \s*/) {
#print "$1\n";
$result {$1}=1;
}
}
}

$before = 1;
$after = 0;

while ($before! = $after) {
$before = scalar keys%result;

For $i (keys%result) {
Addlib ($i);
}
$after = scalar keys%result;
Print "Before $before, after $after \ n";
}

For $i (keys%result) {
#print "$i \ n";
if ($i =~/(. *) \/([~\/]*)/) {
System ("Mkdir-p \.$1");
System ("CP $i \.$1/");

}
Debug: Increase the log level: Cat 7/usr/local/scponly/etc/scponly/debuglevel Copy files from other machines or native users using DNLD, see login Log:tail-f/var/log/* Dstruss similar to Strace to see what the process is doing directly to scponly Riga log, the most straightforward. Http://www.blogjava.net/alwayscy/archive/2011/07/13/354216.html----------------------------------------------- ------------------------more than 4.8 sshd configuration specific users can only be in a specific directory sftp, no other command operation

Restrict users from downloading files in their own directory:

Establish NAGIOSDNLD

Point to Soft Links:/usr/local/nagios/dnld-/users/nagiosdnld/dnld

Edit/etc/sshd_config

Match User nagiosdnld

X11forwarding No

Allowtcpforwarding No

Forcecommand internal-sftp

Chrootdirectory/users/nagiosdnld

Restart the service:

Launchctl Stop Org.openbsd.ssh-agent

Launchctl Start Org.openbsd.ssh-agent

@import URL (http://www.blogjava.net/CuteSoft_Client/CuteEditor/Load.ashx?type=style&file= syntaxhighlighter.css); @import url (/css/cuteeditor.css); Http://www.blogjava.net/alwayscy/archive/2011/10/03/359940.html

With scponly limit can only copy files, not login (Mac version)