How to set up ssh-only user with minimal privileges?
Chris Green
cl at isbd.net
Fri Apr 3 15:39:33 UTC 2015
On Fri, Apr 03, 2015 at 04:42:39PM +0200, Petter Adsen wrote:
> On Thu, 2 Apr 2015 15:59:01 +0000 (UTC)
> Dan Purgert <dan at djph.net> wrote:
>
> > On Thu, 02 Apr 2015 16:22:59 +0200, Petter Adsen wrote:
> >
> > > I have a short script running from cron on a server running 14.10,
> > > that creates a small backup of essential system files. What I want
> > > to do is set up this script to scp the tarball to another, remote
> > > system.
> > >
> > > So, I need to create an account on the remote system and set up
> > > keys, but I want this account to only be able to deposit the archive
> > > somewhere, and not be able to get to a shell or do anything else.
> > >
> > > Is it enough to set the shell for the user to something
> > > like /bin/false? Will that user still be able to deposit the file
> > > via scp? Is there anything else I can do to lock down that account?
> > >
> > > Petter
> >
> > yep, /bin/false should do it. Just make sure you give them a home
> > directory for dumping files to (cron move job or something can handle
> > it from there).
>
> As it turns out, setting the shell to /bin/false or /usr/sbin/nologin
> does *not* work. It seems scp requires a regular ssh connection to
> transfer the files. Just thought I'd mention it in case anybody else
> needs to do this.
>
> I will probably look into setting up a separate sshd on another port
> and chroot that. But that will have to happen tomorrow :)
>
One thing you can do is use the remote authorized_keys file to allow
only certain commands to run when logging in with that key. I use
this to allow passwordless (i.e. ssh key with no passphrase) backups
which won't let anything else happen.
In my case I use rsync for the backup and the relevant key in
authorized_keys starts with:-
command="rsync --server -vlogDtpr . backups",no-pty,no-port-forwarding
You need to read the ssh documentation carefully to get the details of
this right but it's very effective.
--
Chris Green
More information about the ubuntu-users
mailing list