I want to setup a cron job to transfer data from one host (A) to another (B).
My understanding so far is that I will have to create a user on machine B, so that scp can copy the files to a folder in the users home directory.
However, I do not want the newly created user to HAVE ANY permissions over the bare minimum necessary to copy the files from machine A to B.
I think the user:
- needs to be able to login to machine B
- should not be able to run either sudo or su
- ideally, should not be able to cd above their home directory (sounds like a chrooted user, don't know if that is possible)
- should only be able to write to a single file (in its home directory on machine B) and not even be allowed to run any processes or script etc.
The whole purpose of this user is simply to be able to transfer files over occasionally, from machine A to machine B, without in anyway compromising the security of machine B.
I would want to run this transfer as an unattended cron job. I would also like to send the file as compressed and encrypted, so I need to know how to be able to:
- encrypyt without prompting for a password (so it can be used in a script)
- how to use scp without being prompted for a password
Any help on the above will be appreciated
BTW, I am running Ubuntu 10.0.4 LTS and I am thinking of using gpg for encryption, but I am open to suggestions/recommendations
You can install
rssh
for this: a Restricted SSH Shell. This will restrict your user to initiate a "SFTP" or SCP session only. When the user tries to open a terminal session, rssh will reject the request.The
rssh
shell can be activated, by assigned it as shell to the user. This can be done in/etc/passwd
for example.Note that the user will still have access to read every regular on the disk. This can be addressed with SELinux/AppArmor/a chroot but that's a relatively complex setup. If you care about access to specific folders only, I'd suggest running a dedicated FTPS server instead.
May I recommend that you don't use sftp? Locking down a user account where people can log in so nothing can be done is pretty hard, and sftp relies on normal ssh authentication.
Instead, I would recommend that you use ftps. This way you get the encrypted tunnel, and you can use X.509 client certificates for authentication, avoiding passwords.
See https://help.ubuntu.com/10.04/serverguide/C/ftp-server.html for more information about ftps.