7

Problem:

I don't have root access to the server (i.e, I can't/don't want to change any system-wide server configuration), and I want to use scp with an alternative Identity File (e.g, .ssh/id_rsa_for_scp) to automate the download of some files from the server, but I don't want the same key to be used to access the server through ssh.

Michael Richard
  • 354
  • 2
  • 8

2 Answers2

16

After you copy your keyfile to the server:

ssh-copy-id -i ~/.ssh/id_rsa_for_scp legendaryuser@192.168.1.1

(To simplify the example, we will assume the client's machine ~/.ssh/config is already configured. For more details about ~/.ssh/config run man ssh_config)

Host testmachine
    Hostname 192.168.1.1
    User legendaryuser
    BatchMode yes
    IdentitiesOnly yes
    IdentityFile ~/.ssh/id_rsa_for_scp

You will need to edit the server's /home/legendaryuser/.ssh/authorized_keys file.

From:

ssh-rsa AAAAAC3nZCXExxHUEBR...

To: (this version allows download and upload)

command="if [[ \"$SSH_ORIGINAL_COMMAND\" =~ ^scp.? ]]; then $SSH_ORIGINAL_COMMAND ; else echo Access Denied; fi" ssh-rsa AAAAAC3nZCXExxHUEBR...

If you want to limit scp to "download-only mode" and only to files from a specific directory, do:

command="if [[ \"$SSH_ORIGINAL_COMMAND\" =~ ^scp[[:space:]]-f[[:space:]]/full/path/to/dir/.? ]]; then $SSH_ORIGINAL_COMMAND ; else echo Access Denied; fi" ssh-rsa AAAAAC3nZCXExxHUEBR...

And last, lets add some more restrictions to the key, just to be safe:

command="if [[ \"$SSH_ORIGINAL_COMMAND\" =~ ^scp[[:space:]]-f[[:space:]]/full/path/to/dir/.? ]]; then $SSH_ORIGINAL_COMMAND ; else echo ERRO Access Denied; fi",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAAC3nZCXExxHUEBR...

You can see more details about the authorized_keys file by running:

man sshd

Ps: You can also add from=xxx.xxx.xxx.xxx to the limit the use of the key from a specific IP address or network.

Pps: Sorry for my english, I'm not a native speaker.

Michael Richard
  • 354
  • 2
  • 8
  • 1
    Wow. Nice answer! :) – Jesse Adelman May 25 '17 at 22:51
  • Or use the `scponly`, which does basically the same without writing too much regexes. – Jakuje May 26 '17 at 08:25
  • @Jakuje, Yes, I could... if I had root access to the server. This solution is intended to help a user that doesn't have the power to make any changes on the system from which he needs to copy the files. – Michael Richard May 26 '17 at 12:25
  • @JesseAdelman, thank you, it's very kind of you. =) – Michael Richard May 26 '17 at 12:27
  • 1
    You don't need a root access to set up `scponly` (if you download/install it in your home directory). It is nothing against your solution, but just for reference that there is already a tool to do that. – Jakuje May 26 '17 at 12:29
  • @Jakuje https://github.com/scponly/scponly/wiki/Install#Edit_etcshells Hmm. How are you going to do that without root access? For that matter, how are you going to install scponly package without root access? The question specifies that no root access is available. I think this answer meets the requirements along with the given descriptions. – Jesse Adelman May 26 '17 at 16:40
  • @JesseAdelman 1) you can "install" any script into home directory. 2) You don't need to set it into the shells. Setting command to the key is enough. – Jakuje May 26 '17 at 16:52
  • 3
    @Jakuje OK, cool. Why not put that as an answer and demonstrate? I'd love to see how, too. :D – Jesse Adelman May 26 '17 at 17:15
  • @Jakuje [`scponly`](https://github.com/scponly/scponly/) seems like a good solution, except it appears discontinued/abandoned? – mehov Jan 02 '20 at 13:47
  • @aexl seems like that. There could be some more up-to-date fork somewhere. I do not personally use that so I am not familiar with its development. – Jakuje Jan 02 '20 at 15:00
  • Awesome ! thank you very much – Kiwy Feb 16 '21 at 14:19
2

Supplement to @Michael Richard's answer.

zsh will return an error:

zsh:1: no such file or directory: scp ...

This problem also exist in bash.

To solve it, replace

... then $SSH_ORIGINAL_COMMAND ; ...

to

... then $SHELL -c $SSH_ORIGINAL_COMMAND ; ...
Ben Song
  • 21
  • 2