2

how to create a user on a linux box where it - can be used for scp from the remote system - can't be used for ssh login from the remote system

Thanks in advance

Joe Zhao
  • 31
  • More context here https://serverfault.com/questions/420457/openssh-anything-like-internal-sftp-but-for-scp – ulidtko Mar 18 '24 at 15:21

2 Answers2

2

You should use scponly. This is especially good if you only want to restrict certain users and maintain SSH with execution privileges for others.

wget 'https://sourceforge.net/projects/scponly/files/scponly/scponly-4.8/scponly-4.8.tgz'

I_GNU_it_all_along
  • 1,712
  • Thanks for your reply. My existing system does not have scponly installed. I have created a user scpUser:x:1002:1002:Linux User,,,:/scp:/bin/sh and i am able to remotely perform ssh login and scp operation using the user "scpUser". I just want to find a way to disable ssh login but keep scp operational. – Joe Zhao Sep 14 '16 at 14:43
  • No bother, that's why I included the download command for it and the github wiki that has installation instructions. I'm afraid either that or Zama Ques' solution below are your best bets. – I_GNU_it_all_along Sep 14 '16 at 14:45
  • If I have both scp and scponly installed on my linux-based box, when ssh login or scp request is issued on the remote, how does the sshd daemon on my system distinguish the request? Is there such a concept to disable/enable scp/scponly service? Thanks a lot. – Joe Zhao Sep 14 '16 at 14:59
  • scp is a bundled part of your SSH service i.e. scp is SSH. scponly is like an overlay, if you will, that provides a sort of pseudo-shell when certain users connect to it that will only allow for file transfers etc. but other users will still be able to SSH as normal. In order to disable scp you either have to stop the SSH service or disable it in your sshd_config. – I_GNU_it_all_along Sep 14 '16 at 15:05
  • I do need SSH login working for all other users on my system. Just want to disable ssh login operation but maintain the scp function for that specific scp application user. I did try to disable that scp user in sshd_cofig file, but both scp and ssh login operations are not available. Is my request doable? – Joe Zhao Sep 14 '16 at 15:22
  • Yes, 100%. As I said in my answer, scponly allows you to specify which user(s) you wish to restrict and everyone else can still obtain an SSH shell as before. – I_GNU_it_all_along Sep 14 '16 at 15:24
  • I finally got scponly compiled and installed on my system. I have also created a user on my system intended for the external box for scponly use. – Joe Zhao Sep 20 '16 at 20:41
  • However when trying scp operation from the external box, I got the following error message:
    onx-jozhao-01|~/dcu/scpTest$ scp test-config.bk joe@47.135.59.78:/tmp Password: /usr/bin/scponly: No such file or directory lost connection onx-jozhao-01|~/dcu/scpTest$ It passes the authentication, however, it complains the path /usr/bin/scponly does not exist. In fact, that file is indeed on my system.     – Joe Zhao Sep 20 '16 at 20:50
  • Check to make sure it's in /usr/bin. If you're still having issues I'd make a new question for it as it's a bit far removed from the initial question. – I_GNU_it_all_along Sep 20 '16 at 20:52
  • On my system, here is the scponly path: Waveserver> which scponly /usr/bin/scponly Waveserver> – Joe Zhao Sep 20 '16 at 20:54
  • I can install scponly to any directory if you think it may help. Thanks a lot. – Joe Zhao Sep 20 '16 at 20:55
2

If you are ok to use sftp instead of scp , then Match Group in sshd_config can do the task for you .

The following options need to be enabled in /etc/ssh/sshd_config 

   Subsystem sftp internal-sftp

   Match Group sftpusers
     ChrootDirectory /home/%u
     ForceCommand internal-sftp -u 002

You can also setup chroot for that user. The ChrootDirectory must contain the necessary files and directories to support the user’s session.

Zama Ques
  • 3,276
  • Thanks for your suggestion. I need to user both sftp and scp on my system. I have created a user scpUser:x:1002:1002:Linux User,,,:/scp:/bin/sh and i am able to remotely perform ssh login and scp operation using the user "scpUser". I just want to find a way to disable ssh login but keep scp operational. – Joe Zhao Sep 14 '16 at 14:37
  • I have tried to create the user scpUser:x:1002:1002:Linux User,,,:/scp:/bin/nologin. However I am not able to remotely perform ssh login and scp operation using the user "scpUser". – Joe Zhao Sep 14 '16 at 14:47