If you use a SSH server to transfer files (scp or sftp) you might want to restict the connecting users.
Restrict the user shell, use rssh:
rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.
Secured? Nope! The user might use port forwarding to do some nasty stuff, if he connects without shell/command (SSHv2). If you use password based authentication there is only ONE option: disallow port forwarding in the sshd.conf:
1 2 | AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is “yes”. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. |
If you use key-based authentication you may look at the ~/.ssh/authorized_keys file. There you can set options like no-port-forwarding, no-X11-forwarding… If you use this option make sure you place the authorized_keys file outside the user directory, for example: “AuthorizedKeysFile /etc/ssh/%u/authorized_keys”.
1 2 3 | no-port-forwarding Forbids TCP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. This might be used, e.g. in connection with the command option. |
