How to set up ssh-only user with minimal privileges?
Petter Adsen
petter at synth.no
Fri Apr 3 14:42:39 UTC 2015
On Thu, 2 Apr 2015 15:59:01 +0000 (UTC)
Dan Purgert <dan at djph.net> wrote:
> On Thu, 02 Apr 2015 16:22:59 +0200, Petter Adsen wrote:
>
> > I have a short script running from cron on a server running 14.10,
> > that creates a small backup of essential system files. What I want
> > to do is set up this script to scp the tarball to another, remote
> > system.
> >
> > So, I need to create an account on the remote system and set up
> > keys, but I want this account to only be able to deposit the archive
> > somewhere, and not be able to get to a shell or do anything else.
> >
> > Is it enough to set the shell for the user to something
> > like /bin/false? Will that user still be able to deposit the file
> > via scp? Is there anything else I can do to lock down that account?
> >
> > Petter
>
> yep, /bin/false should do it. Just make sure you give them a home
> directory for dumping files to (cron move job or something can handle
> it from there).
As it turns out, setting the shell to /bin/false or /usr/sbin/nologin
does *not* work. It seems scp requires a regular ssh connection to
transfer the files. Just thought I'd mention it in case anybody else
needs to do this.
I will probably look into setting up a separate sshd on another port
and chroot that. But that will have to happen tomorrow :)
Petter
--
"I'm ionized"
"Are you sure?"
"I'm positive."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20150403/b1333b11/attachment.sig>
More information about the ubuntu-users
mailing list