Add ssh user with minimum rights for backup
Solution 1
You can specify which command is used in the authorized key file on the server (this overrides the command the user supplies). According to man sshd
(section AUTHORIZED_KEYS FILE FORMAT):
command="command"
Specifies that the command is executed whenever this key is used
for authentication. The command supplied by the user (if any)
is ignored. The command is run on a pty if the client requests
a pty; otherwise it is run without a tty. If an 8-bit clean
channel is required, one must not request a pty or should spec‐
ify no-pty. A quote may be included in the command by quoting
it with a backslash. This option might be useful to restrict
certain public keys to perform just a specific operation. An
example might be a key that permits remote backups but nothing
else. Note that the client may specify TCP and/or X11 forward‐
ing unless they are explicitly prohibited. The command origi‐
nally supplied by the client is available in the
SSH_ORIGINAL_COMMAND environment variable. Note that this
option applies to shell, command or subsystem execution. Also
note that this command may be superseded by either a
sshd_config(5) ForceCommand directive or a command embedded in a
certificate.
Put in the authorized_keys
file:
command="scp -t -- /var/tmp" ssh-rsa ......
This force a command scp some_file user@server:/some/directory
on client to
create /var/tmp/some_file
on server.
Check that the user cannot overwrite ~/.ssh/authorized_keys
on the server!
You can make more restrictions, allowing only from a certain client. I use:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="scp...
Solution 2
Set up a sftp-chroot for that user.
I found the easiest way to do (CentOS) so by:
- cloning the ssh-init-script
- Use a special configuration-file for that sshd-instance
In the configuration use the following settings:
PermitRootLogin no
PasswordAuthentication no
GSSAPIAuthentication no
AllowTcpForwarding no
PrintMotd no
PrintLastLog no
PidFile /var/run/sshd_sftp.pid
ChrootDirectory /opt/%u/chroot
Subsystem sftp internal-sftp
AllowGroups sftp
Now create /opt/USERNAME/chroot/home/USERNAME and any other directories below chroot you want the user to have access to.
Put the public-key for the user into /home/USERNAME/.ssh/authorized_keys.
Allocate the group sftp as primary or secondary group to that user.
Done.
Related videos on Youtube
user4811
Updated on September 18, 2022Comments
-
user4811 over 1 year
I have a small server running Debian and I want to add an account with SSH access for backups. The user of this account should have no console access. He can only transfer (backup) data via SCP to/from one directory on the server, nothing more. How can I do this?
edit
I have found a solution. https://superuser.com/questions/299036/can-i-create-an-ssh-user-which-can-access-only-certain-directory contains a different question but the solution exactly solves my problem.
-
Nils over 10 yearsThis is not a duplicate. The question here is: Only transfer files.
-
-
user4811 over 10 yearsI have found a solution in another post (I have edited my question). Nevertheless thanks for your help!!
-
Nils over 10 years@user4811 if the answer was useful, upvote it.
-
peterph over 10 years@Nils you should also use
ForceCommand internal-sftp
to make sure the user is not able to transfer binaries into the chroot and then execute them. Removing options from the config snippet that aren't directly related to the question (e.g. authentication options) might help as well.