Add ssh user with minimum rights for backup

debian ssh backup access-control

6,829

Solution 1

You can specify which command is used in the authorized key file on the server (this overrides the command the user supplies). According to man sshd (section AUTHORIZED_KEYS FILE FORMAT):

 command="command"
         Specifies that the command is executed whenever this key is used
         for authentication.  The command supplied by the user (if any)
         is ignored.  The command is run on a pty if the client requests
         a pty; otherwise it is run without a tty.  If an 8-bit clean
         channel is required, one must not request a pty or should spec‐
         ify no-pty.  A quote may be included in the command by quoting
         it with a backslash.  This option might be useful to restrict
         certain public keys to perform just a specific operation.  An
         example might be a key that permits remote backups but nothing
         else.  Note that the client may specify TCP and/or X11 forward‐
         ing unless they are explicitly prohibited.  The command origi‐
         nally supplied by the client is available in the
         SSH_ORIGINAL_COMMAND environment variable.  Note that this
         option applies to shell, command or subsystem execution.  Also
         note that this command may be superseded by either a
         sshd_config(5) ForceCommand directive or a command embedded in a
         certificate.

Put in the authorized_keys file:

command="scp -t -- /var/tmp" ssh-rsa ......

This force a command scp some_file user@server:/some/directory on client to create /var/tmp/some_file on server.

Check that the user cannot overwrite ~/.ssh/authorized_keys on the server!

You can make more restrictions, allowing only from a certain client. I use:

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="scp...

Solution 2

Set up a sftp-chroot for that user.

I found the easiest way to do (CentOS) so by:

cloning the ssh-init-script
Use a special configuration-file for that sshd-instance

In the configuration use the following settings:

PermitRootLogin no
PasswordAuthentication no
GSSAPIAuthentication no
AllowTcpForwarding no
PrintMotd no
PrintLastLog no
PidFile /var/run/sshd_sftp.pid
ChrootDirectory /opt/%u/chroot
Subsystem sftp internal-sftp
AllowGroups sftp

Now create /opt/USERNAME/chroot/home/USERNAME and any other directories below chroot you want the user to have access to.

Put the public-key for the user into /home/USERNAME/.ssh/authorized_keys.

Allocate the group sftp as primary or secondary group to that user.

Done.

6,829

user4811

Updated on September 18, 2022

Comments

user4811 over 1 year

I have a small server running Debian and I want to add an account with SSH access for backups. The user of this account should have no console access. He can only transfer (backup) data via SCP to/from one directory on the server, nothing more. How can I do this?

edit

I have found a solution. https://superuser.com/questions/299036/can-i-create-an-ssh-user-which-can-access-only-certain-directory contains a different question but the solution exactly solves my problem.
- Nils over 10 years
  
  This is not a duplicate. The question here is: Only transfer files.
user4811 over 10 years

I have found a solution in another post (I have edited my question). Nevertheless thanks for your help!!
Nils over 10 years

@user4811 if the answer was useful, upvote it.
peterph over 10 years

@Nils you should also use ForceCommand internal-sftpto make sure the user is not able to transfer binaries into the chroot and then execute them. Removing options from the config snippet that aren't directly related to the question (e.g. authentication options) might help as well.