[Semibug] ssh to host on local network
Josh Grosse
josh at jggimi.net
Fri Apr 29 22:13:16 EDT 2022
On Fri, Apr 29, 2022 at 02:08:53PM -0600, Jonathan Drews wrote:
> ...The sole reason I wanted to grant my
> friend access to the computer was to allow him to downlaod a tarball
> containg a tutorial for GnuPlot. I decided it was easier to just
> upload the tarball to Google drive.
Whenever I have shared files with someone via SSH, I've usually
set up an sftp-only user for the purpose.
* The user cannot use a shell; they can only connect via sftp(1).
* They are chroot(2)ed in their own home directory and have
no access to the filesystem outside it.
* I can set a quota(1) to prevent a large upload from
filling the filesystem containing their home directory.
* I never use passwords with SSH, so I have the external,
untrusted user send me the public half of an SSH key pair
that I can put in their ~/.ssh/authorized_keys file.
Here's an example tail(1) from an sshd_config(5) file
where I set up such an account, to share files with Nick
back in 2018. Nick cannot log on with a password --
the account doesn't have one. He can only use sftp
and only if he has the private half of his key pair
that matches the public half that he sent me.
Match User nick
ChrootDirectory /home/nick
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
You can also do this with a group of users via
"Match Group <group>" but on this particular SSH server
Nick was the only user I set this up for.
More information about the Semibug
mailing list