How to set up ssh-only user with minimal privileges?
Petter Adsen
petter at synth.no
Fri Apr 3 16:08:26 UTC 2015
On Fri, 3 Apr 2015 16:39:33 +0100
Chris Green <cl at isbd.net> wrote:
> On Fri, Apr 03, 2015 at 04:42:39PM +0200, Petter Adsen wrote:
> > On Thu, 2 Apr 2015 15:59:01 +0000 (UTC)
> > Dan Purgert <dan at djph.net> wrote:
> >
> > > On Thu, 02 Apr 2015 16:22:59 +0200, Petter Adsen wrote:
> > >
> > > > I have a short script running from cron on a server running
> > > > 14.10, that creates a small backup of essential system files.
> > > > What I want to do is set up this script to scp the tarball to
> > > > another, remote system.
> > > >
> > > > So, I need to create an account on the remote system and set up
> > > > keys, but I want this account to only be able to deposit the
> > > > archive somewhere, and not be able to get to a shell or do
> > > > anything else.
> > > >
> > > > Is it enough to set the shell for the user to something
> > > > like /bin/false? Will that user still be able to deposit the
> > > > file via scp? Is there anything else I can do to lock down that
> > > > account?
> > > >
> > > > Petter
> > >
> > > yep, /bin/false should do it. Just make sure you give them a
> > > home directory for dumping files to (cron move job or something
> > > can handle it from there).
> >
> > As it turns out, setting the shell to /bin/false
> > or /usr/sbin/nologin does *not* work. It seems scp requires a
> > regular ssh connection to transfer the files. Just thought I'd
> > mention it in case anybody else needs to do this.
> >
> > I will probably look into setting up a separate sshd on another port
> > and chroot that. But that will have to happen tomorrow :)
> >
> One thing you can do is use the remote authorized_keys file to allow
> only certain commands to run when logging in with that key. I use
> this to allow passwordless (i.e. ssh key with no passphrase) backups
> which won't let anything else happen.
>
> In my case I use rsync for the backup and the relevant key in
> authorized_keys starts with:-
>
> command="rsync --server -vlogDtpr .
> backups",no-pty,no-port-forwarding
Oh, thanks! That's really useful to know, and pretty much exactly what
I was looking for.
> You need to read the ssh documentation carefully to get the details of
> this right but it's very effective.
Yes, I'll have a good, long look at it tomorrow so I get it right, but
I didn't know this was possible at all.
Petter
--
"I'm ionized"
"Are you sure?"
"I'm positive."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20150403/295fd812/attachment.sig>
More information about the ubuntu-users
mailing list