How to set up ssh-only user with minimal privileges?

[Chris Green]

On Fri, Apr 03, 2015 at 04:42:39PM +0200, Petter Adsen wrote:
> On Thu, 2 Apr 2015 15:59:01 +0000 (UTC)
> Dan Purgert <dan at djph.net> wrote:
> 
> > On Thu, 02 Apr 2015 16:22:59 +0200, Petter Adsen wrote:
> > 
> > > I have a short script running from cron on a server running 14.10,
> > > that creates a small backup of essential system files. What I want
> > > to do is set up this script to scp the tarball to another, remote
> > > system.
> > > 
> > > So, I need to create an account on the remote system and set up
> > > keys, but I want this account to only be able to deposit the archive
> > > somewhere, and not be able to get to a shell or do anything else.
> > > 
> > > Is it enough to set the shell for the user to something
> > > like /bin/false? Will that user still be able to deposit the file
> > > via scp? Is there anything else I can do to lock down that account?
> > > 
> > > Petter
> > 
> > yep, /bin/false should do it.  Just make sure you give them a home 
> > directory for dumping files to (cron move job or something can handle
> > it from there).
> 
> As it turns out, setting the shell to /bin/false or /usr/sbin/nologin
> does *not* work. It seems scp requires a regular ssh connection to
> transfer the files. Just thought I'd mention it in case anybody else
> needs to do this.
> 
> I will probably look into setting up a separate sshd on another port
> and chroot that. But that will have to happen tomorrow :)
> 
One thing you can do is use the remote authorized_keys file to allow
only certain commands to run when logging in with that key.  I use
this to allow passwordless (i.e. ssh key with no passphrase) backups
which won't let anything else happen.

In my case I use rsync for the backup and the relevant key in
authorized_keys starts with:-

    command="rsync --server -vlogDtpr .  backups",no-pty,no-port-forwarding

You need to read the ssh documentation carefully to get the details of
this right but it's very effective.

-- 
Chris Green