Home / server / Questions / 905263
In Process
Jan Hadáček
Asked: 2018-03-30 12:28:28 +0800 CST

Can I use SFTP as SCP?

  • 772

My client wants a simple storage accessible via SCP and SFTP. There will be two user accounts, one is read-only and the other is read-write.

For security reasons I want to dumb it down as much as possible:

  1. I want the user to be restricted to their home directory without a way to get out
  2. User's root directory must remain writable. SSH's internal-sftp with chroot unfortunately fails this one
  3. I don't want to allow any access to a normal shell
  4. I don't want users to be able to mess with permissions/owners of the files

So far I have implemented SFTP using SSH + MySecureShell, it works and it seems pretty bulletproof. However, SCP does not work, which was one of the requirements of my client.

  1. Is there any way to make SCP work with MySecureShell? Or some other shell?
  2. If not, is there some way to use sftp from a command line like you would scp? I mean, not interactively and using syntax as close to SCP as possible.
linux

1 Answers

  1. In the /etc/ssh/sshd_config change the SFTP subsystem type:

    Subsystem       sftp    internal-sftp

    This allows to perform all the filesystem operations without any shell. Then change the user's shell in the passwd file to the /bin/true or something else harmless. Ensure added "shell" is mentioned in the /etc/shells as legal binary allowed to be used as shell.

    Also you can restrict users by chroot feature of the internal-sftp.

    Match                   User alice 
  X11Forwarding         no
  AllowTcpForwarding    no
  ChrootDirectory       /some/place/alicedir

    Directories some, place and alicedir should be owned by root and should not be writable by anyone except root. Directory alicedir should contain directories like upload, htdocs or else that should be owned by alice with rwx------/700 permissions.

    • 6