We have a requirement to export logs from several appliances. (Actually Infoblox DNS servers). The appliances can be configured to export using scp (but only using password).
So we have no alternative to having the passwords in the appliance configs. To reduce the risk of this I have set up the upload account on an ubuntu server and locked it down using rssh to scp only. I have set the umask to write only and denied read access to on the directory to the upload account.
That works nicely -- one can upload files but not copy them out again. What I can not see how to do is stop that account from accessing any world readable file on the system without using chroot -- which has its own problems!
I suspect that there isn't a way but thought I would ask.
From the lack of response I conclude that there is no obvious way to secure the account against the someone who knows the account credentials without rssh being setuid root so it can chroot to the home directory.
If one were to do this then there is the risk that there may be undiscovered bugs in rssh which can be exploited to allow an attacker a way of breaking out of the chroot jail and taking over the host.
In my case I only allow scp so (as far as I can see) an attacker has no direct way of interacting with rssh. If there are bugs in the ssh implementation then we all have much bigger problems!