use*_*811 5 ssh backup debian access-control
我有一台运行 Debian 的小型服务器,我想添加一个具有 SSH 访问权限的帐户以进行备份。此帐户的用户不应具有控制台访问权限。他只能通过 SCP 向/从服务器上的一个目录传输(备份)数据,仅此而已。我怎样才能做到这一点?
编辑
我找到了解决办法。https://superuser.com/questions/299036/can-i-create-an-ssh-user-which-can-access-only-certain-directory包含一个不同的问题,但该解决方案完全解决了我的问题。
您可以指定在服务器上的授权密钥文件中使用哪个命令(这将覆盖用户提供的命令)。根据man sshd(AUTHORIZED_KEYS 文件格式部分):
command="command"\n Specifies that the command is executed whenever this key is used\n for authentication. The command supplied by the user (if any)\n is ignored. The command is run on a pty if the client requests\n a pty; otherwise it is run without a tty. If an 8-bit clean\n channel is required, one must not request a pty or should spec\xe2\x80\x90\n ify no-pty. A quote may be included in the command by quoting\n it with a backslash. This option might be useful to restrict\n certain public keys to perform just a specific operation. An\n example might be a key that permits remote backups but nothing\n else. Note that the client may specify TCP and/or X11 forward\xe2\x80\x90\n ing unless they are explicitly prohibited. The command origi\xe2\x80\x90\n nally supplied by the client is available in the\n SSH_ORIGINAL_COMMAND environment variable. Note that this\n option applies to shell, command or subsystem execution. Also\n note that this command may be superseded by either a\n sshd_config(5) ForceCommand directive or a command embedded in a\n certificate.\n放入authorized_keys文件中:
command="scp -t -- /var/tmp" ssh-rsa ......\n这会强制客户端上的命令scp some_file user@server:/some/directory\n创建/var/tmp/some_file。
检查用户是否无法覆盖~/.ssh/authorized_keys在服务器上覆盖!
您可以做出更多限制,仅允许来自某个客户端。我用:
\n\nno-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="scp...\n| 归档时间: |
|
| 查看次数: |
6379 次 |
| 最近记录: |