http://sange.fi/~atehwa/cgi-bin/piki.cgi/ Recent changes in restricting SCP on per-user basis http://sange.fi/~atehwa/cgi-bin/piki.cgi/restricting%20SCP%20on%20per-user%20basis http://sange.fi/~atehwa/cgi-bin/piki.cgi/#1272382736 <p>SSH server implementations are not known for <del>its</del> <ins>their</ins> flexibility in per-user configuration. However, they turn out to provide just enough infrastructure to make it possible to make "special" accounts that are <del>just</del> <ins>only</ins> used for a specific task. Here, I will concentrate on OpenSSH and restricting access to file transfer and only a particular type of file transfer. <p>First, the right place to tweak things is to use public key authentication and forced commands. So make a key pair for the account you want to give restricted access to, give the private key to the people who need to use the restricted <del>service,</del> <ins>service (they need to invoke scp as scp -i path/to/private_key),</ins> and drop the public key into the <ins>server</ins> account's .ssh/authorized_keys. Then, add options to the beginning of the line so that the line reads something like <ins>this</ins> (the line has been broken for readability but should be on one line without a backslash, newline or space character): <p>[...] Tue, 27 Apr 2010 15:38:56 +0000