I want to allow some trusted users to scp files into my server (to an specific user), but I do not want to give these users a home, neither ssh login.
I'm having problems to understand the correct settings of users/groups I have to create to allow this to happen.
I will put an example;
Having:
MyUser@MyServerMyUserbelongs to the groupMyGroup- MyUser's home will be lets say,
/home/MyUser SFTPGuy1@OtherBox1SFTPGuy2@OtherBox2
They give me their id_dsa.pub's and I add it to my authorized_keys
I reckon then, I'd do in my server something like
useradd -d /home/MyUser -s /bin/false SFTPGuy1 (and the same for the other..)
And for the last, useradd -G MyGroup SFTPGuy1 (then again, for the other guy)
I'd expect then, the SFTPGuys to be able to sftp -o IdentityFile=id_dsa MyServer and to be taken to MyUser's home…
Well, this is not the case… SFTP just keeps asking me for a password.
Could someone point out what am I missing?
Thanks a mil,
f.
[EDIT: Messa in StackOverflow asked me if authorized_keys file was readable to the other users (members of MyGroup). Its an interesting point, this was my answer:
Well, it wasn't (it was 700), but then I changed the permissions of the .ssh dir and the auth file to 750 though still no effect. Guess it's worth mentioning that my home dir ( /home/MyUser) is also readable for the group; most dirs being 750 and the specific folder where they'd drop files is 770.
Nevertheless, about the auth file, I reckon the authentication would be performed by the local user on MyServer, isn't it? if so, I don't understand the need for other users to read it… well.. just wondering. ]
Best Answer
Before you try this read all the way to the bottom please.
You can do what you want to do by creating 2 users putting them in the same group and giving them the same home directory. Then create the ~/.ssh/authorized_keys file in the shared home with the keys in.
The accounts have to have a shell so lock them using
usermod -L LOGINwhich will prevent interactive login.The permissions on the ~/.ssh directory need to be g:r-x and the ~/.ssh/authorized_keys needs to be g:r--
This then causes sshd pain as it expects the directory to be at most g:r-- and the file to be g:--- you get the error message
Authentication refused: bad ownership or modes for file /home/test/.ssh/authorized_keysTo make this scheme work you now have to break sshd's inbuilt checks by editing
/etc/sshd_configand settingStrictModes nofrom the defaultStrictModes yes. Restart sshd to make the changes known.It should work as you want. Unfortunately you've taken the safety off sshd and could make changes at at later date that leave your system wide open.
To do this more securely don't make any of the changes above
Create 2 user accounts in the same group and setup their ~/.ssh/authorised_keys Create a link from each home directory to the place you want them to put stuff.
Lock down the permissions on the home directory to prevent the users writing to them.
Stop the accounts from logging in interactively
Change the permissions on the /path/to/stuff to allow group access.