I'd like to make ssh account that is capable of doing two things:
- mounting (can be one) directory via
sshfs - performing backup&recovery of his/her desired directories using
rsync
I would love to utilize ssh for rsync purpose, without running extra rsync server. (Main issue is availability of one port just for ssh. If not possible or simplifies things a lot I might consider sshfs tunnelling).
Question: so far I achieved sftp only accounts. However they lack of rsync over ssh, which I'd like to add.
TL;DR: so far, I've tried to join "ftp only" account approach with "allowed commands wrapper" approach via custom script pointed by ForceCommandoption – those details are described below.
How I achieved sftp only account so far
So far I had success with configuring ssh account to be limited to sftp following tutorial : https://solderintheveins.co.uk/2011/03/ubuntu-sftp-only-account-how-to/
In digest, it was mainly achieved by following sshd_config change:
Subsystem sftp internal-sftp
Match group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
And making account belonging only to sftponly group:
username=LIMITED_USER
sudo useradd -d /home/${username} -s /usr/lib/sftp-server -M -N -g sftponly ${username}
sudo passwd ${username}
sudo mkdir -p /home/${username}/uploads /home/${username}/.ssh
sudo chown ${username}:sftponly /home/${username}/uploads /home/${username}/.ssh
sudo chmod 700 /home/${username}/.ssh
Added /usr/lib/sftp-server to /etc/shells.
As users have encrypted home directories in Ubuntu Server style, I have their authorized keys in different location ( via /etc/ssh/sshd_config , AuthorizedKeysFile /etc/ssh/users_configs/%u/authorized_keys ) :
sudo mkdir /etc/ssh/users_configs/${username}
cd /etc/ssh/users_configs/${username}
sudo vim /etc/ssh/users_configs/${username}/authorized_keys
# Here copy desired signature for the purpose from the client
sudo chmod 700 /etc/ssh/users_configs/${username}/authorized_keys
sudo chown ${username}:sftponly /etc/ssh/users_configs/${username}/authorized_keys
Problems with rsync and so far tries with "ForceCommand"
While mounting via sshfs works fine,
I came across following problem:
how to allow user to also rsync?
I tried to drop ChrootDirectory and change ForceCommand to some kind of "command filter" (i.e. allowing only subset of commands) like in : https://binblog.info/2008/10/20/openssh-going-flexible-with-forced-commands/ :
$ grep -B 1 ForceCommand /etc/ssh/sshd_config
Match group sftponly
ForceCommand /etc/ssh/wrapper.sh
$ sudo cat /etc/ssh/wrapper.sh
#!/bin/sh
(
echo -n '# '
date
echo $SSH_ORIGINAL_COMMAND
) >> /home/"${USER}"/.ssh_commands_history
case "$SSH_ORIGINAL_COMMAND" in
"allowed_command")
eval $SSH_ORIGINAL_COMMAND
;;
*)
echo ERROR;
exit 1
;;
esac
$ sudo touch /home/LIMITED_USER/.ssh_commands_history
$ sudo chown LIMITED_USER:sftponly /home/LIMITED_USER/.ssh_commands_history
$ sudo chmod 0700 /home/LIMITED_USER/.ssh_commands_history
but after all it does not pan out. ( I perform ssh u@srv ps and it get's stuck instead of returning output of ps as in mentioned example. sshd -ddd nor ssh -v seem helpful here ).
Therefore:
I'd like to make accounts that will be used for sshfs and rsyncing. How to make them working and limited for increased security?
Best Answer
ForceCommandis not filter, but forced command regardless the command-line as the name proposes.rsyncrequires to run different commands (as far as I know ... yes,sshd -dddandssh -vvvwould be helpful to provide).One possibility is to leave the
ChrootDirectory, removeForceCommandand copyrsync, maybe someshelland it's dependencies (ldd /usr/bin/rsync) to thechroot. It is not ideal, but it should do the job and fence the user from the filesystem.