what are the minimal user permissions required to scp files to a remote server?

Question

I want to setup a cron job to transfer data from one host (A) to another (B).

My understanding so far is that I will have to create a user on machine B, so that scp can copy the files to a folder in the users home directory.

However, I do not want the newly created user to HAVE ANY permissions over the bare minimum necessary to copy the files from machine A to B.

I think the user:

needs to be able to login to machine B
should not be able to run either sudo or su
ideally, should not be able to cd above their home directory (sounds like a chrooted user, don't know if that is possible)
should only be able to write to a single file (in its home directory on machine B) and not even be allowed to run any processes or script etc.

The whole purpose of this user is simply to be able to transfer files over occasionally, from machine A to machine B, without in anyway compromising the security of machine B.

I would want to run this transfer as an unattended cron job. I would also like to send the file as compressed and encrypted, so I need to know how to be able to:

encrypyt without prompting for a password (so it can be used in a script)
how to use scp without being prompted for a password

Any help on the above will be appreciated

BTW, I am running Ubuntu 10.0.4 LTS and I am thinking of using gpg for encryption, but I am open to suggestions/recommendations

score 2 · Answer 1 · answered Aug 05 '10 at 11:56

2

You can install rssh for this: a Restricted SSH Shell. This will restrict your user to initiate a "SFTP" or SCP session only. When the user tries to open a terminal session, rssh will reject the request.

The rssh shell can be activated, by assigned it as shell to the user. This can be done in /etc/passwd for example.

Note that the user will still have access to read every regular on the disk. This can be addressed with SELinux/AppArmor/a chroot but that's a relatively complex setup. If you care about access to specific folders only, I'd suggest running a dedicated FTPS server instead.

answered Aug 05 '10 at 11:56

vdboor

3,800
3
31
32

can you provide some more information on how to do this?. I don't particularly like the idea of running an FTPS server on the server because 1). It is an extra potential security risk 2). It consumes (already limited) resources on the server – user35402 Aug 06 '10 at 13:15
@morpheous You install `rssh`, and it set `/usr/bin/rssh` as the "shell" of the user. That's basically it. For the chroot+rssh setup, there are plenty of tutorials on the Internet :) – vdboor Aug 06 '10 at 13:28

score 1 · Answer 2 · answered Aug 05 '10 at 09:18

1

May I recommend that you don't use sftp? Locking down a user account where people can log in so nothing can be done is pretty hard, and sftp relies on normal ssh authentication.

Instead, I would recommend that you use ftps. This way you get the encrypted tunnel, and you can use X.509 client certificates for authentication, avoiding passwords.

See https://help.ubuntu.com/10.04/serverguide/C/ftp-server.html for more information about ftps.

answered Aug 05 '10 at 09:18

pehrs

8,789
1
30
46

I'm not using sftp – user35402 Aug 05 '10 at 15:13
scp and sftp are closely related. Both are file transport over ssh, which is probably not what you want to do. – pehrs Aug 05 '10 at 19:42
scp is a standard tool. File transport over ssh using scp sounds like exactly what he wants to do. – jwg May 27 '15 at 10:04
Yes, SCP is a standard tool. No, SCP is not a good idea if you do not want to give the user shell access on the server. – pehrs May 28 '15 at 08:36

what are the minimal user permissions required to scp files to a remote server?

2 Answers2