Allow SCP but not actual login using SSH

Is there any way to configure a user on a Linux box (Centos 5.2 in this case) so that they can use scp to retrieve files, but can't actually login to the server using SSH?


DEPRECATED: Please note the following answer is out of date. rssh is no longer maintained and is no longer a secure method.

rssh shell (http://pizzashack.org/rssh/) is designed for precisely this purpose.

Since RHEL/CentOS 5.2 doesn't include a package for rssh, you might look here to obtain an RPM: http://dag.wieers.com/rpm/packages/rssh/

To use it just set it as a shell for a new user like this:

useradd -m -d /home/scpuser1 -s /usr/bin/rssh scpuser1
passwd scpuser1

..or change the shell for an existing one like this:

chsh -s /usr/bin/rssh scpuser1

..and edit /etc/rssh.conf to configure rssh shell - especially uncomment allowscp line to enable SCP access for all rssh users.

(You may also want to use chroot to keep the users contained in their homes but that's another story.)


I'm way late to this but you could use ssh keys and specify the exact command allowed in their ~/.ssh/authorized_keys file e.g.

no-port-forwarding,no-pty,command="scp source target" ssh-dss ...

You may need to use ps to on the target to set the right command settings.

PS: If you run a test scp command with "-v" you can see something like this

debug1: Sending command: scp -v -t myfile.txt

You will note that "-t" is an undocumented scp option, used by the program on the far end. This gives you the idea of what you need to put into authorized_keys.

EDIT: You can find more information (with several links) in this StackOverflow question.

Here is a working example of this, for a user named backup_user on the server side.

~backup_user/.ssh/authorized_keys content on server side (with some more security restrictions):

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="scp -v -r -d -t ~/CONTENT" ssh-rsa AAAAMYRSAKEY...

Create a link in ~backup_user/ that links to the directory where the content should be accessible.

$ ln -s /path/to/directory/with/accessible/content ~backup_user/CONTENT

Now, from client side, the following command should work :

scp -v  -r  -P 2222 -i .ssh/id_rsa_key_file path/to/data backup_user@SERVER:~/CONTENT

What this command do:

  • It displays verbose information (optionnal: you can remove the -v from both command and authorized_keys file)
  • It recursively copies the content of the path/to/data. (optionnal: you can remove -r from both command and authorized_keys file if you do not want to make a recursive copy)
  • It uses port 2222 to connect to the server (optionnal: you can remove -P 2222 from the command)
  • It uses and identity file to automate the connection (optionnal: you can remove -i .ssh/id_rsa_key_file
  • The content of path/to/data will be copied into /path/to/directory/with/accessible/content/

To make a copy of a file (or several) from the server to the client, you should create a shell script that handles this as described here


I'm a bit late to the party, however I will suggest you take a look at the ForceCommand directive of OpenSSH.

Subsystem sftp internal-sftp

Match group sftponly
         ForceCommand internal-sftp

Granted, this is SFTP and not SCP, but it reaches the same goal, more securely than with a restricted shell. Additionally, you can chroot the user if you want to.