I would like to share a directory on my server so that a colleague can synchronize it via Unison (two ways synchronization). I don't want him to be able to read files on the server via ssh access. It would be best if the ssh user can't log in, but only synchronizes via unison. How can I accomplish that?
Asked
Active
Viewed 386 times
2
-
There is the ill-advised [socket method of connecting to the server](https://www.cis.upenn.edu/~bcpierce/unison/download/releases/stable/unison-manual.html#socketmeth). – Mike Pierce Feb 29 '20 at 15:20
1 Answers
2
You can use the command= option in the authorized_keys file to force running Unison when the user connects via ssh. This means they cannot get a login shell. You can also disable port forwarding and other ssh features in this file.
The ~/.ssh/authorized_keys line would look something like this (note the -server option for Unison):
command="/usr/bin/unison -server",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc ssh-rsa AAAAB3NzaC1y....
I haven't tested this.
For more information on the command= ssh option, see Restrict executable SSH commands with authorized keys.
Alternatively, you could use a VPN or ssh port-forwarding to encrypt the connection in the socket method which Mike Pierce mentioned above, but this would probably be more complex.
bitinerant
- 180
- 5