Is there any way to configure a user on a Linux box (Centos 5.2 in this case) so that they can use scp to retrieve files, but can't actually login to the server using SSH?
You may need to use ps to on the target to set the right command settings.
PS: If you run a test scp command with "-v" you can see something like this
debug1: Sending command: scp -v -t myfile.txt
You will note that "-t" is an undocumented scp option, used by the program on the far end. This gives you the idea of what you need to put into authorized_keys.
It displays verbose information (optionnal: you can remove the -v from both command and authorized_keys file)
It recursively copies the content of the path/to/data. (optionnal: you can remove -r from both command and authorized_keys file if you do not want to make a recursive copy)
It uses port 2222 to connect to the server (optionnal: you can remove -P 2222 from the command)
It uses and identity file to automate the connection (optionnal: you can remove -i .ssh/id_rsa_key_file
The content of path/to/data will be copied into /path/to/directory/with/accessible/content/
To make a copy of a file (or several) from the server to the client, you should create a shell script that handles this as described here
I'm a bit late to the party, however I will suggest you take a look at the ForceCommand directive of OpenSSH.
Subsystem sftp internal-sftp
Match group sftponly
ForceCommand internal-sftp
Granted, this is SFTP and not SCP, but it reaches the same goal, more securely than with a restricted shell. Additionally, you can chroot the user if you want to.
It is a restricted shell that allows users to do just what it sounds like, SCP files to the server, but not actually log in. Information and source code downloads for the software are available here and the pre-compiled RPM packages are available via the EPEL YUM Repositories.
Once installed, you will need to configure each user account, which you wish to restrict access to, to use the newly installed restricted shell. You can do this manually via /etc/passwd or use the following command: usermod -s /usr/bin/scponly USERNAME
Very late to the party, but just set shell of the git user to be /usr/bin/git-shell. It's a restricted shell that doesn't allow interactive login. You can still su in to the user with 'su -s /bin/bash git' or whatever your git username is.
#!/bin/bash
# /usr/local/bin/remote-cmd.sh
case $SSH_ORIGINAL_COMMAND in
'scp'*)
$SSH_ORIGINAL_COMMAND
;;
'rsync'*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Access Denied"
;;
esac
I guess you'd probably still need to protect the user's authorized_keys file, but my purpose was to have a password-less key that I could use for backups, without having to create a whole new user, and have the key not give a shell (ok, easily)
Change the login shell of the user to something restrictive, which lets the user run only scp, sftp-server and rsync only, and it also checks that unsafe arguments are not allowed (e.g. scp -S ... and rsync -e ... are unsafe, see here: http://exploit-db.com/exploits/24795). Example for such restrictive login shell:
You may want to run one of these in a chroot or in another restricted environment (e.g. nsjail on Linux), to disable network access and for easier (whitelisted) control of which directories can be read and/or written.
I don't recommend using command="..." in ~/.ssh/authorized_keys, because without careful additional protection (such as chmod -R u-w ~ for the user) a malicious user can upload a new version of ~/.ssh/authorized_keys, ~/.ssh/rc or ~/.bashrc, and thus can include and execute arbitrary commands.
DEPRECATED: Please note the following answer is out of date. rssh is no longer maintained and is no longer a secure method.
rssh shell (http://pizzashack.org/rssh/) is designed for precisely this purpose.
Since RHEL/CentOS 5.2 doesn't include a package for rssh, you might look here to obtain an RPM: http://dag.wieers.com/rpm/packages/rssh/
To use it just set it as a shell for a new user like this:
..or change the shell for an existing one like this:
..and edit
/etc/rssh.confto configure rssh shell - especially uncommentallowscpline to enable SCP access for all rssh users.(You may also want to use chroot to keep the users contained in their homes but that's another story.)
I'm way late to this but you could use ssh keys and specify the exact command allowed in their ~/.ssh/authorized_keys file e.g.
You may need to use ps to on the target to set the right command settings.
PS: If you run a test scp command with "-v" you can see something like this
You will note that "-t" is an undocumented scp option, used by the program on the far end. This gives you the idea of what you need to put into authorized_keys.
EDIT: You can find more information (with several links) in this StackOverflow question.
Here is a working example of this, for a user named
backup_useron the server side.~backup_user/.ssh/authorized_keyscontent on server side (with some more security restrictions):Create a link in ~backup_user/ that links to the directory where the content should be accessible.
Now, from client side, the following command should work :
What this command do:
-vfrom both command and authorized_keys file)-rfrom both command and authorized_keys file if you do not want to make a recursive copy)-P 2222from the command)-i .ssh/id_rsa_key_filepath/to/datawill be copied into/path/to/directory/with/accessible/content/To make a copy of a file (or several) from the server to the client, you should create a shell script that handles this as described here
I'm a bit late to the party, however I will suggest you take a look at the
ForceCommanddirective of OpenSSH.Granted, this is SFTP and not SCP, but it reaches the same goal, more securely than with a restricted shell. Additionally, you can chroot the user if you want to.
I use MySecureShell to do this. You can configure other restrictions too.
https://github.com/mysecureshell/mysecureshell
Limits connections to SFTP/SCP only. No shell access.
I'd recommend using scponly.
It is a restricted shell that allows users to do just what it sounds like, SCP files to the server, but not actually log in. Information and source code downloads for the software are available here and the pre-compiled RPM packages are available via the EPEL YUM Repositories.
Once installed, you will need to configure each user account, which you wish to restrict access to, to use the newly installed restricted shell. You can do this manually via /etc/passwd or use the following command:
usermod -s /usr/bin/scponly USERNAMEVery late to the party, but just set shell of the git user to be /usr/bin/git-shell. It's a restricted shell that doesn't allow interactive login. You can still su in to the user with 'su -s /bin/bash git' or whatever your git username is.
We use a psudo shell called scponly on our secure ftp servers for users we only want to be able to scp files but not log in.
I've found a nice way is to use the command="..." feature of the authorized_keys file. (Suggested to me by this page)
The command you'd run would be one that tests for arguments that start with scp (and rsync).
Here's the authorized_keys file:
Here's the contents of remote-cmd.sh:
I guess you'd probably still need to protect the user's authorized_keys file, but my purpose was to have a password-less key that I could use for backups, without having to create a whole new user, and have the key not give a shell (ok, easily)
Change the login shell of the user to something restrictive, which lets the user run only scp, sftp-server and rsync only, and it also checks that unsafe arguments are not allowed (e.g. scp -S ... and rsync -e ... are unsafe, see here: http://exploit-db.com/exploits/24795). Example for such restrictive login shell:
You may want to run one of these in a chroot or in another restricted environment (e.g. nsjail on Linux), to disable network access and for easier (whitelisted) control of which directories can be read and/or written.
I don't recommend using
command="..."in~/.ssh/authorized_keys, because without careful additional protection (such aschmod -R u-w ~for the user) a malicious user can upload a new version of~/.ssh/authorized_keys,~/.ssh/rcor~/.bashrc, and thus can include and execute arbitrary commands.Its not the most graceful solution, but you could throw something like this into the users .bashrc
I've found that SCP users get a TERM of 'dumb', and others will typically get vt100.
I imagine the user could probably scp over a new .bashrc, which makes this not the best solution, but for a quick and dirty solution, this will work