Permitting scp but not ssh - without scponly

ssh scp 16.04

I'm migrating a Debian server to Ubuntu 16.04. One of the packages on the Debian server is scponly which acts as a shell and permits ssh connections for scp purposes only (not login or running anything other than the scp binary). Details can be found here. This package has been on the Debian through at least 2 physical server upgrades already, countless OS upgrades, and probably dates from about 2007.

scponly is not in any 16.04 repository, and isn't compiled on launchpad. Whilst I am quite capable of installing it from source, this got me wondering whether in the last 10+ years there is a better way of configuring ssh to permit scp commands only, that is more Ubuntu 16.04 friendly, and less based in the dim and distant past. Any ideas?


Solution 1:

According to this serverfault.com answer Allow SCP but not actual login using SSH, one currently supported way is by using rssh, which is available from the universe repository:

sudo apt-add-repository universe

sudo apt-get install rssh

To allow SCP, you must uncomment the corresponding line in the /etc/rssh.conf file (plus any other protocols you wish to enable):

allowscp
#allowsftp
#allowcvs
#allowrdist
#allowrsync
#allowsvnserve

Then it is just a matter of changing the user's login shell to the rssh shell, e.g.

sudo chsh -s /usr/bin/rssh steeldriver

You can then test that SCP works e.g.

$ scp steeldriver@localhost:~/Pictures/somefile.png ./
steeldriver@localhost's password: 
somefile.png                                                               100%   34KB  33.7KB/s   00:00    
$

but SSH should fail with a rejection message like

$ ssh steeldriver@localhost
steeldriver@localhost's password: 
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-88-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Wed Jul  6 16:23:47 2016 from localhost

This account is restricted by rssh.
Allowed commands: scp

If you believe this is in error, please contact your system administrator.

Connection to localhost closed.

Note that it does not appear to be necessary to add /usr/bin/rssh to the list of allowed login shells in /etc/shells

Related

Problem with KDE programs after upgrading to 15.04
How do I type in IPA?
How to have both monitors in the workspace preview for Gnome Shell?
How can I change the background color of the unity launcher?
Can I develop a hybrid native/HTML5 app for the Ubuntu Phone?
How to install and run Anbox in Ubuntu 18.04?
No audio after updating to 15.04
Can't save nvidia settings for screens after reboot
Not enough components to start the RAID array?
How can I get gedit ready for programming in Ruby and Ruby on Rails?
Why can't I install uTorrent Server on Ubuntu?
Cannot resume after hibernate