Limit SSH key to SCP only
After you copy your keyfile to the server:
ssh-copy-id -i ~/.ssh/id_rsa_for_scp [email protected]
(To simplify the example, we will assume the client's machine ~/.ssh/config is already configured. For more details about ~/.ssh/config
run man ssh_config
)
Host testmachine
Hostname 192.168.1.1
User legendaryuser
BatchMode yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_rsa_for_scp
You will need to edit the server's /home/legendaryuser/.ssh/authorized_keys
file.
From:
ssh-rsa AAAAAC3nZCXExxHUEBR...
To: (this version allows download and upload)
command="if [[ \"$SSH_ORIGINAL_COMMAND\" =~ ^scp.? ]]; then $SSH_ORIGINAL_COMMAND ; else echo Access Denied; fi" ssh-rsa AAAAAC3nZCXExxHUEBR...
If you want to limit scp to "download-only mode" and only to files from a specific directory, do:
command="if [[ \"$SSH_ORIGINAL_COMMAND\" =~ ^scp[[:space:]]-f[[:space:]]/full/path/to/dir/.? ]]; then $SSH_ORIGINAL_COMMAND ; else echo Access Denied; fi" ssh-rsa AAAAAC3nZCXExxHUEBR...
And last, lets add some more restrictions to the key, just to be safe:
command="if [[ \"$SSH_ORIGINAL_COMMAND\" =~ ^scp[[:space:]]-f[[:space:]]/full/path/to/dir/.? ]]; then $SSH_ORIGINAL_COMMAND ; else echo ERRO Access Denied; fi",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAAC3nZCXExxHUEBR...
You can see more details about the authorized_keys
file by running:
man sshd
Ps: You can also add from=xxx.xxx.xxx.xxx
to the limit the use of the key from a specific IP address or network.
Pps: Sorry for my english, I'm not a native speaker.
Supplement to @Michael Richard's answer.
zsh will return an error:
zsh:1: no such file or directory: scp ...
This problem also exist in bash.
To solve it, replace
... then $SSH_ORIGINAL_COMMAND ; ...
to
... then $SHELL -c $SSH_ORIGINAL_COMMAND ; ...