[Semibug] ssh to host on local network

Josh Grosse josh at jggimi.net
Fri Apr 29 22:13:16 EDT 2022

On Fri, Apr 29, 2022 at 02:08:53PM -0600, Jonathan Drews wrote:
> ...The sole reason I wanted to grant my
> friend access to the computer was to allow him to downlaod a tarball
> containg a tutorial for GnuPlot. I decided it was easier to just
> upload the tarball to Google drive. 

Whenever I have shared files with someone via SSH, I've usually
set up an sftp-only user for the purpose.

* The user cannot use a shell; they can only connect via sftp(1).

* They are chroot(2)ed in their own home directory and have 
  no access to the filesystem outside it.

* I can set a quota(1) to prevent a large upload from 
  filling the filesystem containing their home directory.

* I never use passwords with SSH, so I have the external,
  untrusted user send me the public half of an SSH key pair
  that I can put in their ~/.ssh/authorized_keys file.

Here's an example tail(1) from an sshd_config(5) file
where I set up such an account, to share files with Nick
back in 2018.  Nick cannot log on with a password --
the account doesn't have one.  He can only use sftp
and only if he has the private half of his key pair
that matches the public half that he sent me.

Match User nick
   ChrootDirectory /home/nick
   ForceCommand internal-sftp
   AllowTcpForwarding no
   X11Forwarding no

You can also do this with a group of users via
"Match Group <group>" but on this particular SSH server
Nick was the only user I set this up for.

More information about the Semibug mailing list