How to set up ssh-only user with minimal privileges?

Karl Auer kauer at biplane.com.au
Thu Apr 2 17:18:18 UTC 2015


On Thu, 2015-04-02 at 15:59 +0000, Dan Purgert wrote:
> On Thu, 02 Apr 2015 16:22:59 +0200, Petter Adsen wrote:
> > I have a short script running from cron on a server running 14.10, that
> > creates a small backup of essential system files. What I want to do is
> > set up this script to scp the tarball to another, remote system.
>
> yep, /bin/false should do it.  Just make sure you give them a home 
> directory for dumping files to (cron move job or something can handle it 
> from there).

Set up an account just for this task. Make sure the new account has a
unique group too, and is only in that group. Set the new account's shell
to /bin/false. Set the account password to something impossible so that
no password access is possible. Ideally turn off password authntication
in sshd-config. Give the new account a home directory they can't write
to at all - the root directory is traditional. Set a quota on the
account which is just a bit larger than you expect the tarball ever to
be. Provide a location that the new account has write access to. Unless
other users on the remote system should be able to read the tarball,
make it a location that ONLY the new account can write to. If not even
the receiving account should be able to read it, encrypt the tarball
before you send it. Consider using the "from" option in the
authorized_hosts file on the receiving system, and for good measure look
at the other no-* options like no-port-forwarding. Look at using
hosts.allow and/or hosts.deny to further control access. Unless you
control the DNS zone your sending host name is in, use IP addresses, not
names (or compromise with an entry in /etc/hosts on the sending system).
Dont forget IPv6. Inspect your access logs regularly (or even set up an
automated check) to let you know if the new account is ever accessed
outside the times you expect. Some of these things are belt-and-braces,
but they may cover you if someone accidentally removes one of the
protections you set up.

You could run up a second sshd on a different port and configure it to
ONLY allow connections to the one specific account from one specific IP
address. chroot this instance for even more lockdown.

There's really no end to the lengths you can go, but after a while you
reach a point of diminishing returns. For example, you could put all of
the above into VM...

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882






More information about the ubuntu-users mailing list