Announcement

Collapse
No announcement yet.

it possible to prevent users from copying

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • it possible to prevent users from copying

    With a Linux servers and OpenSSH,These days copyright are a big concern is it possible to prevent web users from copying those files using "scp" while still allowing shell access with an "ssh"?

  • #2
    When i got such kind of issue I realize that the 'ssh $server "cat file" ' type file accesses which are much much harder to prevent, but I need to see about stopping "scp" for starters.
    Failing that, is there a way to reliably log all SCP access on the server side through syslog?

    Comment


    • #3
      Originally posted by rocky123 View Post
      With a Linux servers and OpenSSH,These days copyright are a big concern is it possible to prevent web users from copying those files using "scp" while still allowing shell access with an "ssh"?
      Originally posted by shane10 View Post
      When i got such kind of issue I realize that the 'ssh $server "cat file" ' type file accesses which are much much harder to prevent, but I need to see about stopping "scp" for starters.
      Failing that, is there a way to reliably log all SCP access on the server side through syslog?


      While you could edit your /etc/ssh/sshd_config to look something like this:

      ForceCommand /bin/sh
      PermitOpen 0.0.0.0
      AllowTcpForwarding no
      PermitTunnel no
      # Subsystem sftp /usr/lib/openssh/sftp-server
      PermitUserEnvironment no
      Rather than determine what the user is likely to use it for. Because if there are only a few commands that you want them to have access to, I would instead remove the ability for them to even invoke a normal ssh shell.

      AllowUsers root
      PermitRootLogin forced-commands-only
      PermitUserEnvironment no
      AllowTcpForwarding no
      PermitTunnel no
      # Subsystem sftp /usr/lib/openssh/sftp-server
      Subsystem smb-reload /usr/bin/smbcontrol smbd reload-config
      Subsystem status /opt/local/bin/status.sh

      ssh [email protected] -s smb-reload
      If the administrator find that, it really do need to be run on a normal shell, the most you really can hope for, is to slow them down, and make it more difficult.

      Comment

      Working...
      X