Allow SCP but not actual login using SSH

Question

Is there any way to configure a user on a Linux box (Centos 5.2 in this case) so that they can use scp to retrieve files, but can't actually login to the server using SSH?

Answer 1

DEPRECATED: Please note the following answer is out of date. rssh is no longer maintained and is no longer a secure method.

rssh shell (http://pizzashack.org/rssh/) is designed for precisely this purpose.

Since RHEL/CentOS 5.2 doesn't include a package for rssh, you might look here to obtain an RPM: http://dag.wieers.com/rpm/packages/rssh/

To use it just set it as a shell for a new user like this:

useradd -m -d /home/scpuser1 -s /usr/bin/rssh scpuser1
passwd scpuser1

..or change the shell for an existing one like this:

chsh -s /usr/bin/rssh scpuser1

..and edit /etc/rssh.conf to configure rssh shell - especially uncomment allowscp line to enable SCP access for all rssh users.

(You may also want to use chroot to keep the users contained in their homes but that's another story.)

Answer 2

I'm way late to this but you could use ssh keys and specify the exact command allowed in their ~/.ssh/authorized_keys file e.g.

no-port-forwarding,no-pty,command="scp source target" ssh-dss ...

You may need to use ps to on the target to set the right command settings.

PS: If you run a test scp command with "-v" you can see something like this

debug1: Sending command: scp -v -t myfile.txt

You will note that "-t" is an undocumented scp option, used by the program on the far end. This gives you the idea of what you need to put into authorized_keys.

EDIT: You can find more information (with several links) in this StackOverflow question.

Here is a working example of this, for a user named backup_user on the server side.

~backup_user/.ssh/authorized_keys content on server side (with some more security restrictions):

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="scp -v -r -d -t ~/CONTENT" ssh-rsa AAAAMYRSAKEY...

Create a link in ~backup_user/ that links to the directory where the content should be accessible.

$ ln -s /path/to/directory/with/accessible/content ~backup_user/CONTENT

Now, from client side, the following command should work :

scp -v  -r  -P 2222 -i .ssh/id_rsa_key_file path/to/data backup_user@SERVER:~/CONTENT

What this command do:

• It displays verbose information (optionnal: you can remove the -v from both command and authorized_keys file)
• It recursively copies the content of the path/to/data. (optionnal: you can remove -r from both command and authorized_keys file if you do not want to make a recursive copy)
• It uses port 2222 to connect to the server (optionnal: you can remove -P 2222 from the command)
• It uses and identity file to automate the connection (optionnal: you can remove -i .ssh/id_rsa_key_file
• The content of path/to/data will be copied into /path/to/directory/with/accessible/content/

To make a copy of a file (or several) from the server to the client, you should create a shell script that handles this as described here

Answer 3

I'm a bit late to the party, however I will suggest you take a look at the ForceCommand directive of OpenSSH.

Subsystem sftp internal-sftp

Match group sftponly
         ForceCommand internal-sftp

Granted, this is SFTP and not SCP, but it reaches the same goal, more securely than with a restricted shell. Additionally, you can chroot the user if you want to.

Answer 4

I use MySecureShell to do this. You can configure other restrictions too.

https://github.com/mysecureshell/mysecureshell

Limits connections to SFTP/SCP only. No shell access.

Answer 5

I'd recommend using scponly.

It is a restricted shell that allows users to do just what it sounds like, SCP files to the server, but not actually log in. Information and source code downloads for the software are available here and the pre-compiled RPM packages are available via the EPEL YUM Repositories.

Once installed, you will need to configure each user account, which you wish to restrict access to, to use the newly installed restricted shell. You can do this manually via /etc/passwd or use the following command: usermod -s /usr/bin/scponly USERNAME

Answer 6

Very late to the party, but just set shell of the git user to be /usr/bin/git-shell. It's a restricted shell that doesn't allow interactive login. You can still su in to the user with 'su -s /bin/bash git' or whatever your git username is.

Answer 7

I've found a nice way is to use the command="..." feature of the authorized_keys file. (Suggested to me by this page)

The command you'd run would be one that tests for arguments that start with scp (and rsync).

Here's the authorized_keys file:

# authorized_keys
command="/usr/local/bin/remote-cmd.sh" ssh-rsa.....== user@pewpew

Here's the contents of remote-cmd.sh:

#!/bin/bash
# /usr/local/bin/remote-cmd.sh
case $SSH_ORIGINAL_COMMAND in
 'scp'*)
    $SSH_ORIGINAL_COMMAND
    ;;
 'rsync'*)
    $SSH_ORIGINAL_COMMAND
    ;;
 *)
    echo "Access Denied"
    ;;
esac

I guess you'd probably still need to protect the user's authorized_keys file, but my purpose was to have a password-less key that I could use for backups, without having to create a whole new user, and have the key not give a shell (ok, easily)

Answer 8

Change the login shell of the user to something restrictive, which lets the user run only scp, sftp-server and rsync only, and it also checks that unsafe arguments are not allowed (e.g. scp -S ... and rsync -e ... are unsafe, see here: http://exploit-db.com/exploits/24795). Example for such restrictive login shell:

• rssh
• scponly (not only scp, also allows sftp, svn etc. if configured so)
• transfer_shell

You may want to run one of these in a chroot or in another restricted environment (e.g. nsjail on Linux), to disable network access and for easier (whitelisted) control of which directories can be read and/or written.

I don't recommend using command="..." in ~/.ssh/authorized_keys, because without careful additional protection (such as chmod -R u-w ~ for the user) a malicious user can upload a new version of ~/.ssh/authorized_keys, ~/.ssh/rc or ~/.bashrc, and thus can include and execute arbitrary commands.

Answer 9

We use a psudo shell called scponly on our secure ftp servers for users we only want to be able to scp files but not log in.

Answer 10

Combining Phils script with some configuration in the SSH server seems to be having the desired effect. In our case, we have a group sftponly. As the name suggests - users in this group can only be used for file access over SSH. No user files (~/.ssh/authorized_keys or ~/.bashrc) modifications necessary.

Append this to /etc/ssh/sshd_config:

Match group sftponly
    X11Forwarding no
    AllowTcpForwarding no
    AllowAgentForwarding no
    ForceCommand /usr/local/bin/remote-file-access-only.sh

Create /usr/local/bin/remote-file-access-only.sh:

#!/bin/bash

# allow scp, sftp and rsync only
case $SSH_ORIGINAL_COMMAND in
 'scp'* | 'rsync'* | '/usr/libexec/openssh/sftp-server'*)
    $SSH_ORIGINAL_COMMAND
    ;;
 *)
    echo "Access Denied"
    ;;
esac

Restart sshd and make the script executable.

And there you go, for users in this group we can do scp, sftp and rsync but won't get a shell over SSH.

Answer 11

Its not the most graceful solution, but you could throw something like this into the users .bashrc

if [ "$TERM"  != "dumb" ]; then
  exit
fi

I've found that SCP users get a TERM of 'dumb', and others will typically get vt100.

I imagine the user could probably scp over a new .bashrc, which makes this not the best solution, but for a quick and dirty solution, this will work