Allow SCP but not actual login using SSH
Solution 1:
rssh shell (http://pizzashack.org/rssh/) is designed for precisely this purpose.
Since RHEL/CentOS 5.2 doesn't include a package for rssh, you might look here to obtain an RPM: http://dag.wieers.com/rpm/packages/rssh/
To use it just set it as a shell for a new user like this:
useradd -m -d /home/scpuser1 -s /usr/bin/rssh scpuser1
passwd scpuser1
..or change the shell for an existing one like this:
chsh -s /usr/bin/rssh scpuser1
..and edit /etc/rssh.conf to configure rssh shell - especially uncomment allowscp line to enable SCP access for all rssh users.
(You may also want to use chroot to keep the users contained in their homes but that's another story.)
Solution 2:
I'm way late to this but you could use ssh keys and specify the exact command allowed in their ~/.ssh/authorized_keys file e.g.
no-port-forwarding,no-pty,command="scp source target" ssh-dss ...
You may need to use ps to on the target to set the right command settings.
PS: If you run a test scp command with "-v" you can see something like this
debug1: Sending command: scp -v -t myfile.txt
You will note that "-t" is an undocumented scp option, used by the program on the far end. This gives you the idea of what you need to put into authorized_keys.
EDIT: You can find more information (with several links) in this StackOverflow question.
Here is a working example of this, for a user named backup_user on the server side.
~backup_user/.ssh/authorized_keys content on server side (with some more security restrictions):
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="scp -v -r -d -t ~/CONTENT" ssh-rsa AAAAMYRSAKEY...
Create a link in ~backup_user/ that links to the directory where the content should be accessible.
$ ln -s /path/to/directory/with/accessible/content ~backup_user/CONTENT
Now, from client side, the following command should work :
scp -v -r -P 2222 -i .ssh/id_rsa_key_file path/to/data backup_user@SERVER:~/CONTENT
What this command do:
- It displays verbose information (optionnal: you can remove the
-vfrom both command and authorized_keys file) - It recursively copies the content of the path/to/data. (optionnal: you can remove
-rfrom both command and authorized_keys file if you do not want to make a recursive copy) - It uses port 2222 to connect to the server (optionnal: you can remove
-P 2222from the command) - It uses and identity file to automate the connection (optionnal: you can remove
-i .ssh/id_rsa_key_file - The content of
path/to/datawill be copied into/path/to/directory/with/accessible/content/
To make a copy of a file (or several) from the server to the client, you should create a shell script that handles this as described here
Solution 3:
I'm a bit late to the party, however I will suggest you take a look at the ForceCommand directive of OpenSSH.
Subsystem sftp internal-sftp
Match group sftponly
ForceCommand internal-sftp
Granted, this is SFTP and not SCP, but it reaches the same goal, more securely than with a restricted shell. Additionally, you can chroot the user if you want to.
Solution 4:
I use MySecureShell to do this. You can configure other restrictions too.
https://github.com/mysecureshell/mysecureshell
Limits connections to SFTP/SCP only. No shell access.
Solution 5:
I'd recommend using scponly.
It is a restricted shell that allows users to do just what it sounds like, SCP files to the server, but not actually log in. Information and source code downloads for the software are available here and the pre-compiled RPM packages are available via the EPEL YUM Repositories.
Once installed, you will need to configure each user account, which you wish to restrict access to, to use the newly installed restricted shell. You can do this manually via /etc/passwd or use the following command: usermod -s /usr/bin/scponly USERNAME