I want to setup a cron job to transfer data from one host (A) to another (B).
My understanding so far is that I will have to create a user on machine B, so that scp can copy the files to a folder in the users home directory.
However, I do not want the newly created user to HAVE ANY permissions over the bare minimum necessary to copy the files from machine A to B.
I think the user:
- needs to be able to login to machine B
- should not be able to run either sudo or su
- ideally, should not be able to cd above their home directory (sounds like a chrooted user, don't know if that is possible)
- should only be able to write to a single file (in its home directory on machine B) and not even be allowed to run any processes or script etc.
The whole purpose of this user is simply to be able to transfer files over occasionally, from machine A to machine B, without in anyway compromising the security of machine B.
I would want to run this transfer as an unattended cron job. I would also like to send the file as compressed and encrypted, so I need to know how to be able to:
- encrypyt without prompting for a password (so it can be used in a script)
- how to use scp without being prompted for a password
Any help on the above will be appreciated
BTW, I am running Ubuntu 10.0.4 LTS and I am thinking of using gpg for encryption, but I am open to suggestions/recommendations
Best Answer
You can install
rsshfor this: a Restricted SSH Shell. This will restrict your user to initiate a "SFTP" or SCP session only. When the user tries to open a terminal session, rssh will reject the request.The
rsshshell can be activated, by assigned it as shell to the user. This can be done in/etc/passwdfor example.Note that the user will still have access to read every regular on the disk. This can be addressed with SELinux/AppArmor/a chroot but that's a relatively complex setup. If you care about access to specific folders only, I'd suggest running a dedicated FTPS server instead.