SCP Without SSH – Permitting SCP but Not SSH Without scponly on Ubuntu 16.04

16.04scpssh

I'm migrating a Debian server to Ubuntu 16.04. One of the packages on the Debian server is scponly which acts as a shell and permits ssh connections for scp purposes only (not login or running anything other than the scp binary). Details can be found here. This package has been on the Debian through at least 2 physical server upgrades already, countless OS upgrades, and probably dates from about 2007.

scponly is not in any 16.04 repository, and isn't compiled on launchpad. Whilst I am quite capable of installing it from source, this got me wondering whether in the last 10+ years there is a better way of configuring ssh to permit scp commands only, that is more Ubuntu 16.04 friendly, and less based in the dim and distant past. Any ideas?

Best Answer

According to this serverfault.com answer Allow SCP but not actual login using SSH, one currently supported way is by using rssh, which is available from the universe repository:

sudo apt-add-repository universe

sudo apt-get install rssh

To allow SCP, you must uncomment the corresponding line in the /etc/rssh.conf file (plus any other protocols you wish to enable):

allowscp
#allowsftp
#allowcvs
#allowrdist
#allowrsync
#allowsvnserve

Then it is just a matter of changing the user's login shell to the rssh shell, e.g.

sudo chsh -s /usr/bin/rssh steeldriver

You can then test that SCP works e.g.

$ scp steeldriver@localhost:~/Pictures/somefile.png ./
steeldriver@localhost's password: 
somefile.png                                                               100%   34KB  33.7KB/s   00:00    
$

but SSH should fail with a rejection message like

$ ssh steeldriver@localhost
steeldriver@localhost's password: 
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-88-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Wed Jul  6 16:23:47 2016 from localhost

This account is restricted by rssh.
Allowed commands: scp

If you believe this is in error, please contact your system administrator.

Connection to localhost closed.

Note that it does not appear to be necessary to add /usr/bin/rssh to the list of allowed login shells in /etc/shells

Related Question