On 2/28/2013 6:18 AM, Loic Tortay wrote:
For the second method, I just insert something like no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="ClientIPAddress",command="/usr/bin/scp -t DestDir" in front of the public key in the user's "~/.ssh/authorized_keys" (with a space between the last double-quote and the key).
One variation on this is to use a Match statement in sshd_config. Put the users restricted to scp in a specific group and create a match statement for that group with the arguments Loic mentioned for authorized_keys.
If you go down the force command route, another trick is to write a script with the set of valid commands, and then use that script as the force command. One benefit is the ability to change the force command without having to edit authorized_keys for every user or sshd_config to make a change to the allowed command.
I've used both of the above for restricting rsync commands; not sure how scp might differ.
Tony _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
