4

I have users transferring files to me using the same user account on my server and by adding their public keys to the authorised keys file.

I want to restrict access as much as possible, such that they should only be able to create files.

Is this possible?

Cheetah
  • 241
  • 3
  • 8
  • What same account? yours? what you want is [chrooted sftp](http://serverfault.com/questions/497011/sftp-user-cant-edit-or-create-files/497027#497027) – dawud Apr 23 '13 at 10:10

2 Answers2

6

Since they're logging in by using public keys, you can simply set that key to not allow any PTY. Here's an example of a fairly closed-down key:

from="their.workstation.only.domain.com",no-pty,no-port-forwarding ssh-dss AAA....

This will only allow connections from one computer and will disallow both PTY and port forwarding. All such options should come before the actual key starts and be separated by commas.

There's a list of all possible options in the section AUTHORIZED_KEYS FILE FORMAT in the man page for sshd.

Jenny D
  • 27,780
  • 21
  • 75
  • 114
2

I think rssh is obviously choice.

rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.

favadi
  • 537
  • 2
  • 7
  • 15
  • **`Important Security Notice:`** `There are some potentially serious security implications involved with running rssh.` – Eugen Konkov Feb 26 '20 at 08:54