How to set up ssh-only user with minimal privileges?

[Petter Adsen]

On Fri, 03 Apr 2015 04:18:18 +1100
Karl Auer <kauer at biplane.com.au> wrote:

> On Thu, 2015-04-02 at 15:59 +0000, Dan Purgert wrote:
> > On Thu, 02 Apr 2015 16:22:59 +0200, Petter Adsen wrote:
> > > I have a short script running from cron on a server running
> > > 14.10, that creates a small backup of essential system files.
> > > What I want to do is set up this script to scp the tarball to
> > > another, remote system.
> >
> > yep, /bin/false should do it.  Just make sure you give them a home 
> > directory for dumping files to (cron move job or something can
> > handle it from there).

<snip>

> You could run up a second sshd on a different port and configure it to
> ONLY allow connections to the one specific account from one specific
> IP address. chroot this instance for even more lockdown.

Thank you both, this was really helpful!

> There's really no end to the lengths you can go, but after a while you
> reach a point of diminishing returns. For example, you could put all
> of the above into VM...

...and protect the VM with apparmor? :)

Yes, I'm not going to take it into extremes, and as I'm just backing up
a few config files there is no need for encryption. If the remote host
gets compromised, I have bigger problems anyway :) I just want to make
sure that the account that drops the backup can only do just that, and
can't be used to get a shell. The remote host already only allows
logins with keys, and I will use a totally separate account. I use
iptables to limit access to ssh, so a couple of your advice above will
probably be sufficient.

Thanks again,

Petter

-- 
"I'm ionized"
"Are you sure?"
"I'm positive."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20150403/f64c78b4/attachment.sig>