sshd config - deny ssh access to a user but allow scp

graysky · 2009-05-20 21:44:53

Anyone? Can I deny ssh access to a particular user but allow said user to use scp? Thus far I can only accomplish the deny part by adding the following line to my /etc/ssh/sshd_config

DenyUsers user1

lucke · 2009-05-20 22:07:24

It might work if you set their shell to "/sbin/nologin".

-edit-

Okay, doesn't work. Maybe this is the way to go.

Last edited by lucke (2009-05-20 22:12:40)

graysky · 2009-05-20 22:21:25

@lucke - Thanks for the link, but I think for it to work, I would need to create a new account. I still want the user to have full local privileges, just no ssh and only scp.

lucke · 2009-05-20 22:28:28

You mean you want this user to be able to log in locally, but remotely only to be able to use scp, not ssh login?

graysky · 2009-05-21 19:35:53

@lucke - yes, full privs locally, but only scp remotely (no ssh access to shell at all). I found this but haven't tried it yet. I will when I get home tonight.

Last edited by graysky (2009-05-21 21:00:03)

cactus · 2009-05-21 23:06:35

you can use sftp-internal and sftp only, but that isn't quite scp.

you can also try using an ssh key and an authorized_keys file, with a command allow stanza..that runs a command and tests for arguments that start with scp (and rsync in my example).

# authorized_keys
command="/usr/local/bin/remote-cmd.sh" ssh-rsa.....== user@pewpew

.

#!/bin/bash
# /usr/local/bin/remote-cmd.sh
case $SSH_ORIGINAL_COMMAND in
    'scp'*)
        $SSH_ORIGINAL_COMMAND
        ;;
    'rsync'*)
        $SSH_ORIGINAL_COMMAND
        ;;
    *)
        echo "Access Denied"
        ;;
esac

Last edited by cactus (2009-05-21 23:07:38)

Daenyth · 2009-05-22 01:21:17

Can you do that authorized_keys file globally? I thought that file was only for per-user stuff.

Last edited by Daenyth (2009-05-22 01:21:33)

cactus · 2009-05-22 01:59:01

Daenyth wrote:

Can you do that authorized_keys file globally? I thought that file was only for per-user stuff.

while it would be possibly (with an sshd_config stanza changing the path to authorized_keys), you wouldn't really want to do it that way, then any user could ssh to any user.
What you would want to use instead would be ForceCommand in sshd_config, with the above remote-cmd script. You could set the ForceCommand inside a Match block to specify it for users in a certain group, for instance.

Daenyth · 2009-05-22 13:10:48

Interesting... I'm not sure exactly how that would work out as I haven't done any complicated sshd setup, just the usual stuff.. Mind posting an example?

Arch Linux

#1 2009-05-20 21:44:53

sshd config - deny ssh access to a user but allow scp

#2 2009-05-20 22:07:24

Re: sshd config - deny ssh access to a user but allow scp

#3 2009-05-20 22:21:25

Re: sshd config - deny ssh access to a user but allow scp

#4 2009-05-20 22:28:28

Re: sshd config - deny ssh access to a user but allow scp

#5 2009-05-21 19:35:53

Re: sshd config - deny ssh access to a user but allow scp

#6 2009-05-21 23:06:35

Re: sshd config - deny ssh access to a user but allow scp

#7 2009-05-22 01:21:17

Re: sshd config - deny ssh access to a user but allow scp

#8 2009-05-22 01:59:01

Re: sshd config - deny ssh access to a user but allow scp

#9 2009-05-22 13:10:48

Re: sshd config - deny ssh access to a user but allow scp

Board footer