make linux server allow rsync/scp/sftp but not a terminal login

I'd like to configure a linux box (probably an Ubuntu server) so that I can setup users, so that it is possible to upload/download files via rsync/scp/sftp, but it should not be possible to ssh to the machine and get an interactive terminal.

Is this possible? How would I go about configuring that? I know that all I'll need the ssh server to be ON, for rsync/scp/sftp to work, but I guess there should be a way to prevent the direct login.

Eldamir

Posted 2013-09-05T09:24:04.290

Reputation: 225

I don't think that's possible coz you need a username and pass to use rsync, whoever has the username and pass can login, even if you create an ssh key just for rsync, won't work, would love to be proven wrong though – Lynob – 2013-09-05T09:29:40.737

It's possible to allow only SFTP with Match User ... / ForceCommand Internal-sftp in sshd_config. But to allow several programs i can't help. – mveroone – 2013-09-05T09:36:24.823

You need a chroot jail, SourceForge implements a very good one but I can't find documentation on it. – justbrowsing – 2013-09-05T09:54:14.013

Answers

Set the users' shell to rssh. From the manpage:

rssh - restricted secure shell allowing only scp and/or sftp

SlightlyCuban

Posted 2013-09-05T09:24:04.290

Reputation: 605

This does not allow rsync, only sftp. – Agoston Horvath – 2019-04-01T08:21:57.960

I can test this later on, however the documentation states:

It now also includes support for rdist, rsync, and cvs
– SlightlyCuban – 2019-04-01T14:18:25.687

1I stand corrected: it does support rsync, but by default it is disabled on ubuntu. However, there is a config file /etc/rssh.conf where one can really deeply finetune rssh. Thanks for the info! – Agoston Horvath – 2019-04-02T10:10:28.200

1Just calling your attention to this (old!) answer, that rssh has now apparently been abandoned, and it's being removed from distros. I suggest editing in a note that this is no longer a good solution — or of course do a more extensive update to provide a current solution (I, unfortunately, do not have one to recommend). – derobert – 2019-12-04T04:48:04.860

Maybe GNU Rush? https://puszcza.gnu.org.ua/software/rush/

– Jim Paris – 2019-12-20T21:23:04.883

If you only need to allow rsync, the developers of rsync provide the rrsync script to solve your problem. It is available from here: http://ftp.samba.org/pub/unpacked/rsync/support/rrsync

You just need to add something like this to your .authorized_keys file. This example allows read only (-ro) access to /some/directory/:

command="/path/to/rrsync -ro /some/directory/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...

A more throughout explanation and example is available here: https://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/

Update: This is NOT SECURE for write access until this bug is fixed: https://bugzilla.samba.org/show_bug.cgi?id=11879

As long as this bug persists, please only use rrsync in read only mode (-ro).

user144437

Posted 2013-09-05T09:24:04.290

Reputation: 131

You can use a pseudo-shell like scponly and set this for the users you don't want to login directly.

Another possible way is to set the login command in the authorized keys file, but that only works if your users login via SSH-keys and not via password.

Izzy

Posted 2013-09-05T09:24:04.290

Reputation: 273

one potential issue with the authorized_keys is if the restricted user somehow manages to overwrite the file, to where it no longer imposes that restriction – aexl – 2020-01-15T13:11:52.080