I'm allowing a friend a local account on my machine, exclusively for SCP. Can I specify his account's shell as /bin/true
, or in any other way limit the account, while still allowing SCP?
SCP Login – Do You Need a Shell for SCP?
account-restrictionsloginscp
Best Answer
You can set that user's shell to
rssh
orscponly
, which are designed precisely for that purpose:When you run scp, the OpenSSH daemon fires off an
scp
process with the-f
option. When you run sftp, the OpenSSH daemon fires off ansftp-server
process. In either case, the subprocess is executed through the user's shell, so that shell must support at least these commands, with a Bourne-like syntax. Any Bourne-style shell will do, as will csh (I think its quoting rules are compatible enough for whatsshd
uses). Rssh and scponly allow these commands and nothing else./bin/true
would not even run these commands.