If you use a SSH server to trans­fer files (scp or sftp) you might want to restict the con­nect­ing users.

Restrict the user shell, use rssh:

rssh is a restricted shell for use with OpenSSH, allow­ing only scp and/or sftp. It now also includes sup­port for rdist, rsync, and cvs. For exam­ple, if you have a server which you only want to allow users to copy files off of via scp, with­out pro­vid­ing shell access, you can use rssh to do that.

Secured? Nope! The user might use port for­ward­ing to do some nasty stuff, if he con­nects with­out shell/command (SSHv2). If you use pass­word based authen­ti­ca­tion there is only ONE option: dis­al­low port for­ward­ing in the sshd.conf:

1
2
AllowTcp­For­ward­ing
Spec­i­fies whether TCP for­ward­ing is per­mit­ted.  The default is “yes”.  Note that dis­abling TCP for­ward­ing does not improve secu­rity unless users are also denied shell access, as they can always install their own forwarders.

If you use key-based authen­ti­ca­tion you may look at the ~/.ssh/authorized_keys file. There you can set options like no-port-forwarding, no-X11-forwarding… If you use this option make sure you place the authorized_keys file out­side the user direc­tory, for exam­ple: “Autho­rized­KeysFile /etc/ssh/%u/authorized_keys”.

1
2
3
no-port-forwarding
For­bids TCP for­ward­ing when this key is used for authen­ti­ca­tion.  Any port for­ward requests by the client will
return an error.  This might be used, e.g. in con­nec­tion with the com­mand option.

Use SSHd as file transfer server

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*