I'd like to make ssh account that is capable of doing two things:
- mounting (can be one) directory via
sshfs
- performing backup&recovery of his/her desired directories using
rsync
I would love to utilize ssh
for rsync
purpose, without running extra rsync
server. (Main issue is availability of one port just for ssh
. If not possible or simplifies things a lot I might consider sshfs
tunnelling).
Question: so far I achieved sftp
only accounts. However they lack of rsync
over ssh
, which I'd like to add.
TL;DR: so far, I've tried to join "ftp only" account approach with "allowed commands wrapper" approach via custom script pointed by ForceCommand
option – those details are described below.
How I achieved sftp
only account so far
So far I had success with configuring ssh
account to be limited to sftp
following tutorial : https://solderintheveins.co.uk/2011/03/ubuntu-sftp-only-account-how-to/
In digest, it was mainly achieved by following sshd_config
change:
Subsystem sftp internal-sftp
Match group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
And making account belonging only to sftponly
group:
username=LIMITED_USER
sudo useradd -d /home/${username} -s /usr/lib/sftp-server -M -N -g sftponly ${username}
sudo passwd ${username}
sudo mkdir -p /home/${username}/uploads /home/${username}/.ssh
sudo chown ${username}:sftponly /home/${username}/uploads /home/${username}/.ssh
sudo chmod 700 /home/${username}/.ssh
Added /usr/lib/sftp-server
to /etc/shells
.
As users have encrypted home directories in Ubuntu Server style, I have their authorized keys in different location ( via /etc/ssh/sshd_config
, AuthorizedKeysFile /etc/ssh/users_configs/%u/authorized_keys
) :
sudo mkdir /etc/ssh/users_configs/${username}
cd /etc/ssh/users_configs/${username}
sudo vim /etc/ssh/users_configs/${username}/authorized_keys
# Here copy desired signature for the purpose from the client
sudo chmod 700 /etc/ssh/users_configs/${username}/authorized_keys
sudo chown ${username}:sftponly /etc/ssh/users_configs/${username}/authorized_keys
Problems with rsync
and so far tries with "ForceCommand"
While mounting via sshfs
works fine,
I came across following problem:
how to allow user to also rsync
?
I tried to drop ChrootDirectory
and change ForceCommand
to some kind of "command filter" (i.e. allowing only subset of commands) like in : https://binblog.info/2008/10/20/openssh-going-flexible-with-forced-commands/ :
$ grep -B 1 ForceCommand /etc/ssh/sshd_config
Match group sftponly
ForceCommand /etc/ssh/wrapper.sh
$ sudo cat /etc/ssh/wrapper.sh
#!/bin/sh
(
echo -n '# '
date
echo $SSH_ORIGINAL_COMMAND
) >> /home/"${USER}"/.ssh_commands_history
case "$SSH_ORIGINAL_COMMAND" in
"allowed_command")
eval $SSH_ORIGINAL_COMMAND
;;
*)
echo ERROR;
exit 1
;;
esac
$ sudo touch /home/LIMITED_USER/.ssh_commands_history
$ sudo chown LIMITED_USER:sftponly /home/LIMITED_USER/.ssh_commands_history
$ sudo chmod 0700 /home/LIMITED_USER/.ssh_commands_history
but after all it does not pan out. ( I perform ssh u@srv ps
and it get's stuck instead of returning output of ps as in mentioned example. sshd -ddd
nor ssh -v
seem helpful here ).
Therefore:
I'd like to make accounts that will be used for sshfs
and rsyncing
. How to make them working and limited for increased security?
Best Answer
ForceCommand
is not filter, but forced command regardless the command-line as the name proposes.rsync
requires to run different commands (as far as I know ... yes,sshd -ddd
andssh -vvv
would be helpful to provide).One possibility is to leave the
ChrootDirectory
, removeForceCommand
and copyrsync
, maybe someshell
and it's dependencies (ldd /usr/bin/rsync
) to thechroot
. It is not ideal, but it should do the job and fence the user from the filesystem.