I'm allowing a friend a local account on my machine, exclusively for SCP. Can I specify his account's shell as /bin/true, or in any other way limit the account, while still allowing SCP?
Asked
Active
Viewed 3.0k times
43
Gilles 'SO- stop being evil'
- 829,060
2 Answers
45
I recommend using rsync instead of scp. For users, it has many more useful features. On the server side, it comes with rrsync to allow synvc access inside a given directory, but no general shell access and no access to other directories.
Alternatively, you can restrict the account to only allow SFTP and not shell access. SFTP is a distinct access type in the SSH protocol, unlike rsync and scp which work by running a shell command on the server. (rrsync restricts access by only allowing one specific shell command, which only supports certain rsync transfers and nothing else.) SFTP access enables SFTP clients as well as SSHFS.
Historically, there were projects such as rssh and scponly, which you could set as user's shell, and then the user would only be able to run file copies and not get shell access. However, those projects are unmaintained and very likely insecure by now.
Gilles 'SO- stop being evil'
- 829,060
3
No, you don't. As Gilles pointed out, rssh works very nicely to this end, as does scponly. See also the discussion in this related question.
Shadur-don't-feed-the-AI
- 31,260
-
2They're still shells, as pointed out
/bin/falsewill not work, neither will chmod 644 ksh. – Steve-o Sep 09 '11 at 07:55
/bin/falseor other program that does nothing, neither scp nor sftp will work. For both commands, the SSH daemon fires off a shell command that runs a dedicated server process (scp -forsftp-server). It needs a Bourne-style shell, or at least a close enough approximation (such asrsshwhich allows only these few commands through). – Gilles 'SO- stop being evil' Sep 08 '11 at 20:00