linux:nologin-rsync-only

This is an old revision of the document!

User can only rsync files with no shell access

Ein lokaler User, soll ausschlisslich mit rsync Daten vom Server kopieren können. (Er darf sich nicht auf einer Shell anmelden können!)

Konfiguration

  1. Create a new user (pfrsync): 
    # useradd pfrsync
  2. Add a new group (pfrsynconly) and add the user to that group: 
    # groupadd pfrsynconly
# usermod -g pfrsynconly pfrsync
  3. Set password for the pfrsync user. 
     # passwd pfrsync
  4. Change permissions of the users home dir to be as follows: 
    # chown root:root /home/sftptest
# chmod 755 /home/sftptest
  5. Make a directory for the user (sftptest) to be able to scp to (a destination directory): 
    # mkdir /home/sftptest/incoming
# chown sftptest:sftptest /home/sftptest/incoming
  6. Add the following to /etc/ssh/sshd_config: 
     # vim /etc/ssh/sshd_config 

    #
# sshd_config managed by puppet, do not edit by hand!
#

Port 22
ListenAddress 172.31.130.28
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
LoginGraceTime 2m

PermitRootLogin no
StrictModes yes
DSAAuthentication yes
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no

ChallengeResponseAuthentication no
UsePAM yes

X11Forwarding yes
UsePrivilegeSeparation yes

Subsystem       sftp    /usr/libexec/openssh/sftp-server
ClientAliveInterval 60
ClientAliveCountMax 5
AllowTcpForwarding yes

LogLevel INFO
MaxAuthTries 4
PermitUserEnvironment no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
MACs hmac-sha2-256,hmac-sha2-512
PubkeyAuthentication yes
AllowAgentForwarding yes

Match group pfrsynconly
       #ChrootDirectory /var/lib/pulp
       X11Forwarding no
       AllowTcpForwarding no
       AllowAgentForwarding no
       PasswordAuthentication yes
       ForceCommand /home/pfrsync/check_command.sh
    NOTE: The sshd stanza can be adjusted in three basic modes:

  • Using the %h directive to lock each user into their own home directory (see above example)
  • Or using a single hardcoded directory name → ChrootDirectory /home/user/
  • Keep in mind: There is no need, to create an Group, if just one user should be able to have Access. In this case replace “Match group sftponly” with “Match user sftptest”

After all changes, restart sshd! 

# systemctl restart sshd
  • linux/nologin-rsync-only.1510060471.txt.gz
  • Last modified: 2017/11/07 14:14
  • by michael