fine tuning scp only ssh setup

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

I automated a backup procedure : a snapshot of a CVS is taken,
tar'ed, gzip'ed, gpg'ed and then scp'ed to a machine whose sole
purpose is to keep, and burn, backups (some backups are made
to other places, but I'm not responsible for those ones).

The machine that holds the backups (Linux) has only a single service
running : sshd. The iptables rules are fairly strict : everything is
disallowed, besides ICMP ping (with a limit) and incoming ssh
connection from the machine that does the backup of the CVS.

The backup machine doesn't need at all remote shell access, so
I followed the explanation from Richard Silverman to configure
a "scp only" ssh connection.

You can find his explanations here, for example :

I got everything working right, as you can see below :

[backupuser@devel ~/] $ ssh -1
Warning: Remote host denied X11 forwarding.
/usr/local/bin/ environment variable SSH_ORIGINAL_COMMAND not set
Connection to closed.
[backupuser@devel ~/] $ scp -1 sampleFile
sampleFile                                    100%    7   145.4KB/s   00:00
[backupuser@devel ~/] $

But only for SSH1 :(  

I use, for the moment, the "old" authorized_keys/autorized_keys2 file names.

My authorized_keys, on the backup machine, contains a single key and starts
like this :

command="perl /usr/local/bin/" 1024 35 12886375...

This is working fine. The perl script ensures that scp only is called
and with the right attributes (I may dig into the script and add some
customized test if I have some time).

But I don't know how I'm suppose to do with OpenSSH for realizing the
same with SSH2.

Richard said that for SSH2 it was simpler that for SSH1 :

Quoted text here. Click to load it

but there's no sftp-server in OpenSSH... So how should I format the
"command line" in authorized_keys2 (I know, I should stop using this
old filename) to authorize only sftp copies ?

I tried this :

[backupuser@dataholder ~]$ head -1 .ssh/authorized_keys2
command="sftp" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAA...

And if I try to connect I had, unsurpisingly, an error :

$ ssh
usage: sftp [-vC1] [-b batchfile] [-o option] [-s subsystem|path] [-B
            [-F config] [-P direct server path] [-S program]
            [user@]host[:file [file]]
Connection to closed.
[backuper@galathea ~/] $

Note that I don't want to allow "everything SSH related" besides
obtaining a remote shell.

What I really want is "prevent everything SSH related" besides
allowing a one-way scp (from a single machine, to a single really
restricted user account, etc.).

Thanks in advance,


P.S :

It is not a big deal, this is more out of curiosity : things are already
working using SSH1 and look pretty secure. After all the backup server
can only be accessed from our local LAN... But I am paranoid and I really
wouldn't want one Windows machine of another developer to get compromised
which could then be used to attack the CVS server (even if it's chrooted)
which could then be used to attack the "backup" machine.

Re: fine tuning scp only ssh setup

    JL> But I don't know how I'm suppose to do with OpenSSH for realizing
    JL> the same with SSH2.

    JL> Richard said that for SSH2 it was simpler that for SSH1 :

    >> With SSH2, you can do this:
    >> # SSH2 [remote:~/.ssh2/authorization] key command
    >> /usr/local/bin/sftp-server

There's confusion here: when you write "SSH2", you mean protocol 2.  When
I wrote it in the book and on the web site (as is explained here: ), I meant the software product from

    JL> but there's no sftp-server in OpenSSH...

Yes, there is.

  Richard Silverman

ok I got it working

Quoted text here. Click to load it

Yup, my bad definetely : I read the article too fast and thought you
meant protocol 2 (I tried 'command="sftp-server"' to my .ssh/authorized_keys2
and of course it would not work).

Quoted text here. Click to load it

Oops, my bad again... There definetely is one, but it was not
in the path by default (and I read somewhere that there was no
sftp-server command in OpenSSH : maybe some really old doc or
just someone who wrote something wrong). Anyway, after reading
this wrong or old information and noticing that I had no
sftp-server though all ssh related packages where installed, I
wronly thought there was no sft-server command with OpenSSH.

Anyway, after reading your post, I got it working :

$ echo put sampleFile.tmp | sftp backupuser@
Connecting to
Changing to: /allowed
sampleFile.tmp                    100%   18     0.3KB/s   00:00

The copy (with sftp) works, but trying to ssh into the remote
machine doesn't (which is what I wanted to achieve in this case).

I also changed all permission of the remote user account to "read-only"
(and I use a special directory to send the files).

Now I'll install "rssh" as an additional precaution.

Thanks again,


Re: ok I got it working

[sftp-server in OpenSSH]
Quoted text here. Click to load it

Probably really old docs.  sftp-server was added 2000/08/31 and the sftp
client was added 2001/02/04.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline