Linux – Using a system user to transfer files via scp/kerberos

centoscronkerberoslinuxscp

I need a cron job to transfer a file across servers using scp and kerberos authentication. The system user for the job is in /etc/passwd on both machines and a valid keytab has been created (with -randkey) for the kerberos auth. The cron job script calls kinit, then scp, then kdestroy. However, the scp won't work unless I change the /sbin/nologin in /etc/passwd to a valid shell, say /bin/bash.

Question #1: is this a security hole to specify a shell?
Question #2: is this the "right" way to do this?

Thanks in advance

Best Answer

Answer 1: It may be. If you'd disable any other authentication method, and therefore forced use of the key and you believe this key to be strong, then a

Answer 2: With no valid shell scp will drop session before it transfers any files, which is a shame. It seems that scponly does what you want (http://www.sublimation.org/scponly/wiki/index.php/Main_Page).

Related Solutions

Centos – “service” command not found, “htpasswd” command not found ..

echo $PATH

It should match what you listed above from 'which' and does not include /sbin which seems to imply you elevated your privileges but kept the environment from your normal user?

How do you login to this box usually? Are you doing 'su' or 'su -' to elevate?

If you're logging in as root directly then you want to look at your shell configuration. Probably this will be Bash so peek at ~/.bash_profile and ~/.bashrc to see if PATH is defined, if not then the system-wide defaults in /etc will apply to your session.

As a quick fix, this should work:

export PATH="/usr/local/sbin:/usr/sbin:/sbin:${PATH}"

All that does is add /sbin to your PATH environment variable, and it is not permanent across login sessions. You'd need to find where PATH is defined (see above) to fix for good.

Linux – /sbin/nologin default PATH

If you set the shell for an account to /sbin/nologin (on my system it's /usr/sbin/nologin) then if someone tries to login under that account, they will get a message that says the account is unavailable. There is no PATH or /etc/csh.login or /etc/profile for that situation.

This is separate from the /etc/nologin file. If that file exists, no user other than root can login. The contents of that file will be displayed if they try. This is useful when the administrator is about to do a shutdown or otherwise change the runlevel of the system and doesn't want additional users logging in.

Best Answer

Related Solutions

Centos – “service” command not found, “htpasswd” command not found ..

Linux – /sbin/nologin default PATH

Related Topic