Restrict server for only file transfers

Q&A
1

I was wondering how others go about using a server for only file transfer purposes such as rsync, scp, and sftp? I see that bridges at PSC does this (https://www.psc.edu/bridges/user-guide/transferring-files). If you try to ssh to the server, you get a message stating that this is only to be used for file transfer purposes.

I saw a couple of options such as rssh, but that seems like it is not maintained anymore and could be a security risk. Another option is to use a sftp jail, but I don’t believe that allows you to use rsync and it still allows you to ssh, but just restricting what directories you see.

2

There is a package called scponly that we have used quite successfully over the last six years.

Available Packages
scponly.x86_64                          4.8-18.el7                          epel

We install that on separate data transfer nodes, and for those nodes only enable password-less, ssh key transfers so that tasks can be automated.

Since it is ssh/scp under the hood, anything that uses ssh should work with it. The shell is modified to

 username:x:123456:123456:User Name:/home/username:/usr/bin/scponly

so you need something that will convert login shell to the scponly shell for users at or above your minimum, end-user UID on the machines that would offer it.

1 Like
3

Thank you. I went with this option even though it seems to be a stale project, but maybe that is just because it has very few security implications.

For others that may came across this. We are using SSSD for authentication and added the following line to the [nss] section to make sure everybody is using the scponly shell.

override_shell = /usr/local/bin/scponly

4

The SSH option ForceCommand can also be used for this without needing additional software. It is built into the SSH daemon, configurable in sshd_config. You can even allow some users to get a shell and prevent others using SSH’s Match command. See https://www.digitalocean.com/community/tutorials/how-to-enable-sftp-without-shell-access-on-ubuntu-16-04 for more details.