This user bob
can only run scp
, and not get a shell by ssh. Every other ssh-y thing he tries should get the error “This service allows sftp connections only.”
bob=bob # or bob=marysue
echo >> /etc/ssh/sshd_config <<EOF
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp -u 0002 -d /incoming
EOF
sudo -u $bob sh -c 'mkdir ~/incoming' # here's a place for your stuff, bob
groupadd sftponly # group for scp and sftp only
usermod -a -G sftponly $bob # bob: you're in it
chown root /home/$bob # sorry bob, we're going to chroot here, so you can't have it
This is reasonably secure™, but it doesn’t stop him from logging in at the console … or with telnet
, or with su
if he gets some other code running. If you don’t have telnet
enabled, you can enable it now for this particular security hole. Actually, the shell should be changed to something listed in /etc/shells
that is not a shell, but that is an exercise to the reader.