On 02/28/2013 02:08 PM, Andrew Hume wrote: > i would like to set up a server running centos 6 so that some specific users > can transfer files in and do nothing else. > > if they were using sftp, there are numerous pages detailing how to setup jails > and configure sshd to only do sftp-server. how do i do that for scp? > by experiment, i can probably set up a jail and just have the scp binary, > but this seems a fair bit of work for what i would have thought to be a > somewhat > common case. > Hello, There are, at least, two ways to make sure the users can only use "scp" to a server. One is to use something like "scponly", which has the advantages of allowing your authentication scheme of choice (password, key, Kerberos, ...) Another way that does not requires anything more than SSH is to use a "forced command" with a key based authentication. This also allows you to set the destination directory independently of what the user uses in its command line.
For the second method, I just insert something like no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="ClientIPAddress",command="/usr/bin/scp -t DestDir" in front of the public key in the user's "~/.ssh/authorized_keys" (with a space between the last double-quote and the key). Of course, the "authorized_keys" file is not writable by the users and not in "DestDir". Most of the time (as in the example) I also limit the machine(s) from which the data can come from (a comma separated list of hostnames and IP address between double quotes). The "sshd" (not "sshd_config") manpage details the options available in users "authorized_keys" files. Loïc. -- | Loïc Tortay <tor...@cc.in2p3.fr> - IN2P3 Computing Centre | _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
