6

I have a small server running Debian and I want to add an account with SSH access for backups. The user of this account should have no console access. He can only transfer (backup) data via SCP to/from one directory on the server, nothing more. How can I do this?

edit

I have found a solution. https://superuser.com/questions/299036/can-i-create-an-ssh-user-which-can-access-only-certain-directory contains a different question but the solution exactly solves my problem.

Community
  • 1
user4811
  • 193

2 Answers2

5

You can specify which command is used in the authorized key file on the server (this overrides the command the user supplies). According to man sshd (section AUTHORIZED_KEYS FILE FORMAT):

 command="command"
         Specifies that the command is executed whenever this key is used
         for authentication.  The command supplied by the user (if any)
         is ignored.  The command is run on a pty if the client requests
         a pty; otherwise it is run without a tty.  If an 8-bit clean
         channel is required, one must not request a pty or should spec‐
         ify no-pty.  A quote may be included in the command by quoting
         it with a backslash.  This option might be useful to restrict
         certain public keys to perform just a specific operation.  An
         example might be a key that permits remote backups but nothing
         else.  Note that the client may specify TCP and/or X11 forward‐
         ing unless they are explicitly prohibited.  The command origi‐
         nally supplied by the client is available in the
         SSH_ORIGINAL_COMMAND environment variable.  Note that this
         option applies to shell, command or subsystem execution.  Also
         note that this command may be superseded by either a
         sshd_config(5) ForceCommand directive or a command embedded in a
         certificate.

Put in the authorized_keys file:

command="scp -t -- /var/tmp" ssh-rsa ......

This force a command scp some_file user@server:/some/directory on client to create /var/tmp/some_file on server.

Check that the user cannot overwrite ~/.ssh/authorized_keys on the server!

You can make more restrictions, allowing only from a certain client. I use:

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="scp...
Zelda
  • 6,262
  • 1
  • 23
  • 28
  • That is not exactly what I want. I only want to use the server for some users as a "SSH-storage-device". Sorry for the confusion. Nevertheless I appreciate your help! – user4811 Jan 03 '14 at 00:47
1

Set up a sftp-chroot for that user.

I found the easiest way to do (CentOS) so by:

  • cloning the ssh-init-script
  • Use a special configuration-file for that sshd-instance

In the configuration use the following settings:

PermitRootLogin no
PasswordAuthentication no
GSSAPIAuthentication no
AllowTcpForwarding no
PrintMotd no
PrintLastLog no
PidFile /var/run/sshd_sftp.pid
ChrootDirectory /opt/%u/chroot
Subsystem sftp internal-sftp
AllowGroups sftp

Now create /opt/USERNAME/chroot/home/USERNAME and any other directories below chroot you want the user to have access to.

Put the public-key for the user into /home/USERNAME/.ssh/authorized_keys.

Allocate the group sftp as primary or secondary group to that user.

Done.

Nils
  • 18,492
  • I have found a solution in another post (I have edited my question). Nevertheless thanks for your help!! – user4811 Jan 03 '14 at 00:49
  • @user4811 if the answer was useful, upvote it. – Nils Jan 03 '14 at 09:33
  • @Nils you should also use ForceCommand internal-sftpto make sure the user is not able to transfer binaries into the chroot and then execute them. Removing options from the config snippet that aren't directly related to the question (e.g. authentication options) might help as well. – peterph Jan 08 '14 at 07:54