0

Instead of using...

ssh://user@mysite.net:1234/mnt/thing/usr/prj

I want to use

ssh://user@mysite.net:1234/prj

How would I do this? It would be good if users can't access /home, /var and such. I only need this for data transfers.

ctype.h
  • 556

2 Answers2

1

Look into the scponly 'shell' and set up a chroot.

0

Create a user whose home directory is /prj.

Create a ~/.ssh/authorized_keys file for the user which contains the remote users public key, as well as some restriction on the commands and ssh options available, like:

command="/usr/bin/scp-wrapper",no-port-forwarding,no-X11-forwar
ding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQA
BAAABAQCblahblahblahblahblahblahblahblahblahblahblahblahblahbla
hblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahbl
ahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahb
lahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahbla
hblahblahblahblahblahblahblahblahB user@site.com

Make it as restrictive as possible.

Then you'll need to create that wrapper for scp. Something as simple as the following will work, but you'll want to add more security conscious checks and tests before using it in production.

#!/usr/bin/env bash

$SSH_ORIGINAL_COMMAND

This is just an example of what's possible. In this case, the full scp command is captured in the environment variable $SSH_ORIGINAL_COMMAND, but since you can't specify a command with arguments in the command= clause of the .authorized_keys file, you need the wrapper.

Users can probably still access sticky public directories, like /tmp, but they'll have no access to roam around /var, or /home.

and they may be able to pull files off your server, but you could wrap all this up with chroot, and secure the system quite a bit more, with minimal effort.

Tim Kennedy
  • 19,697