I'm allowing a friend a local account on my machine, exclusively for SCP. Can I specify his account's shell as /bin/true, or in any other way limit the account, while still allowing SCP?
Add a comment
|
2 Answers
I recommend using rsync instead of scp. For users, it has many more useful features. On the server side, it comes with rrsync to allow synvc access inside a given directory, but no general shell access and no access to other directories.
Alternatively, you can restrict the account to only allow SFTP and not shell access. SFTP is a distinct access type in the SSH protocol, unlike rsync and scp which work by running a shell command on the server. (rrsync restricts access by only allowing one specific shell command, which only supports certain rsync transfers and nothing else.) SFTP access enables SFTP clients as well as SSHFS.
Historically, there were projects such as rssh and scponly, which you could set as user's shell, and then the user would only be able to run file copies and not get shell access. However, those projects are unmaintained and very likely insecure by now.
answered Mar 21, 2011 at 22:10
Gilles 'SO- stop being evil'Gilles 'SO- stop being evil'
865k205 gold badges1.8k silver badges2.3k bronze badges
-
1So does this mean /bin/false or /bin/true wouldn't work - or only allow sftp?Danny Staple– Danny Staple2011-09-08 15:40:38 +00:00Commented Sep 8, 2011 at 15:40
-
3@DannyStaple If a user's shell is set to
/bin/falseor other program that does nothing, neither scp nor sftp will work. For both commands, the SSH daemon fires off a shell command that runs a dedicated server process (scp -forsftp-server). It needs a Bourne-style shell, or at least a close enough approximation (such asrsshwhich allows only these few commands through).Gilles 'SO- stop being evil'– Gilles 'SO- stop being evil'2011-09-08 20:00:59 +00:00Commented Sep 8, 2011 at 20:00 -
1rssh no longer exists, they've pulled the code because they consider it unsafe to use. scponly hasn't been updated in a decade. Not looking promising anymore.anthonyryan1– anthonyryan12023-09-27 18:33:10 +00:00Commented Sep 27, 2023 at 18:33
No, you don't. As Gilles pointed out, rssh works very nicely to this end, as does scponly. See also the discussion in this related question.
answered Mar 22, 2011 at 7:54
Shadur-don't-feed-the-AIShadur-don't-feed-the-AI
32.3k11 gold badges65 silver badges73 bronze badges
-
2They're still shells, as pointed out
/bin/falsewill not work, neither will chmod 644 ksh.Steve-o– Steve-o2011-09-09 07:55:25 +00:00Commented Sep 9, 2011 at 7:55