On Ubuntu/Debian, you can install the scponly shell to restrict them to scp/sftp only. Just install the package and change their shell to /usr/bin/scponly:
sudo aptitude install scponly
sudo usermod -s /usr/bin/scponly USERNAME
The disk space problem is likely best solved with filesystem quotas. Unfortunately I have little experience with them.
If you want to get fancier (restricting filetypes and such) you'll probably need to write your own script to validate the commands being passed from the client. The simplest script would be a shell script that performs a test similar to this one:
if [[ $SSH_ORIGINAL_COMMAND = "scp -f *txt" ]]
then
exec $SSH_ORIGINAL_COMMAND
fi
That would allow downloading .txt files. Quick tests indicate the filename is not passed as part of the scp command when sending. So it may not be possible in that case.
The script would be set as the forced command for the user's key. (The ``command="blah"'' field in authorized_keys.) It can also be set as the "ForceCommand" option for a Match group in sshd_config, like so:
Match group scponly
ForceCommand /usr/local/sbin/scpwrapper
Then add the users to be so restricted to the "scponly" group.
EDIT:
By request, here's the script I use to enforce rsync-only access:
#!/bin/bash
#
# Verify that rsync command appears to be a legitimate rsnapshot command.
# Requires >= bash 3.x
#
# Ben Beuchler
# 6/4/07
# rsync needs to be operating in "server" mode.
re_server='rsync --server'
# Match both -x and --word options
re_options=' +-{1,2}[[:alpha:]-]+'
# Match legal paths
re_paths=' +[-[:alnum:]_./]+'
# Build the full regex
r="^${re_server}(${re_options})+(${re_paths}){2}$"
echo $SSH_ORIGINAL_COMMAND >> ssh_log
if [[ $SSH_ORIGINAL_COMMAND =~ $r ]]
then
exec $SSH_ORIGINAL_COMMAND
else
echo "Invalid rsync command."
fi
Use that script as a forced command (either by "command=" in ~/.ssh/authorized_keys or using a "Match" block in sshd_config as noted above) and it will reject everything except rsync commands. With a little tweaking it could be made to only accept specific rsync commands.
Best Answer
I'm not sure if trusting users is part of the equation, but
trickleis very handy for limiting the speed of a given command. When I upload packages from home, the WoW-addict roommates notice when I forget something like that, since it pretty much dominates the pipe.