Problem:

You want to give multiple physical users access to an SSH account but do not want to give each of the users full access to your account. More importantly, you want to restrict shell access, only allowing scp/sftp/rsync.

Answer:

Note, this procedure is only possible for users with root access to the machine such as with a VPS or Dedicated Server. This is not possible with shared hosting accounts. (such as the GrokThis.net Advanced or Traditional accounts)

1. First, install scprsynconly or scponly. My examples below use scprsynconly.
   
2. Install fakechroot, a dynamically linked busybox and a statically linked busybox.
   
3. Create a chroot containing the scp, sftp-server, and rsync binaries. (or any combination thereof if you wish to restrict access to one of these). I used "makejail" with the following configuration (for rsync only)

   chroot="/home/myuser/rsync-chroot"
   testCommandsInsideJail=["rsync","scprsynconly","busybox-dynamic"]
   processNames=["rsync","scprsynconly","busybox-dynamic"]
   

4. Edit /etc/ssh/sshd_config, adding "PermitUserEnvironment yes".
   

   WARNING: This can be a security risk. This procedure should limit that risk when using our custom shell, but this could be an issue if you have other SSH users on the machine.

5. For each user you wish to grant access, collect from them a public SSH key, placing their keys into /home/myuser/.ssh/authorized_keys. Each key should specify the directory to which they will be jailed: envrionment="SAFE_CHROOTDIR=/home/myuser/my_friends/johndoe". Example: (actual key abbreviated)
   

   environment="SAFE_CHROOTDIR=/home/myuser/my_friends/eric" ssh-rsa AAAAB3NzaC1k0= eric.windisch

6. Inside each "SAFE_CHROOTDIR", mount-bind the chroot directory readonly as '.chroot'. You can do this as root with 'mount --bind', or as I have, with FUSE's bindfs which allowed me to do this directly as user 'myuser'.
7. Create the following script as "scprsynconly-wrapper", and set this as the shell for user "myuser".
   

    #!/bin/busybox-static sh
   /bin/busybox-static env - \
           PATH="/.chroot/bin:/.chroot/usr/bin:/usr/bin:/bin" \
           /usr/bin/fakechroot -s /usr/sbin/chroot "$SAFE_CHROOTDIR" \
           "$SAFE_CHROOTDIR/.chroot/usr/bin/scprsynconly" "$@"
   

8. To preven downloads of the .chroot directory, move /home/myuser/rsync-chroot/usr/bin/rsync to rsync.real and create a shell script called 'rsync' (mode 755):
   

   #!/.chroot/bin/busybox-dynamic sh
   .chroot/usr/bin/rsync.real --exclude /.chroot $@

9. Now, simply do from your client machine:
   

   rsync -e ssh -a myuser@myhost:/ dest_dir/

We welcome you to the brand-new GrokThis.net community portal!

This is replacing our old forums with all new ones... and is introducing a wiki and a business blog.  (some of you may have been following Eric Windisch's personal blog, but this is an all-new offiicial GrokThis.net blog!)

We will be using the community portal as a way of notifying customers of changes, updates, maintenance, etc.  The facilities offered to us through the portal software should make it easy for us to create automatic email updates for changes to content.

The community portal is based on Plone, just one of many excellent applications that GrokThis.net supports under the Advanced Hosting account.