I have come across numerous scenarios where scripts and programs will require SCP to work properly - although do not require SSH access.
By default on CentOS there is not a shell that allows you to restrict SSH but allow SCP - so instead we have to install the 'scponly' shell from EPEL:
yum install scponly
Once installed it should be added to: /etc/shells
/bin/sh
...
/usr/bin/scponly
/bin/scponly
proceed by creating a group for it:
sudo groupadd scponly
Create directory you wish to serve e.g.:
/var/secure/uploads
and ensure the appropriate ownership information is applied (I only want the script to read the files):
sudo chown root:scponly
and permissions e.g.:
sudo chmod 770 /var/secure/uploads
sudo chmod 640 /var/secure/uploads/*
and create a new user and ensure they are part of the 'scponly' group and the appropriate shell is assigned to them:
sudo useradd -m -d /home/script -s "/usr/bin/scponly" -c "script" -G scponly script
No comments:
Post a Comment