Please be aware that due to a recent SSH vulnerability in Debian & Ubuntu, we have replaced all of our SSH host keys, which may prompt a warning/error when logging into our systems.

We highly advise that customers using a Debian or Ubuntu desktop system create new SSH keys.  VPS customers update their OS and replace their OpenSSH host keys.  We are in the process of scanning our customer's accounts for insecure keys and will be removing and/or replacing these shortly.

While we understand these actions can cause an inconvenience for many customers, we would rather deal with such inconveniences than with compromised/hacked accounts.  We hope that you can understand.

Thank you,

Eric Windisch
GrokThis.net

Problem:

You want to give multiple physical users access to an SSH account but do not want to give each of the users full access to your account. More importantly, you want to restrict shell access, only allowing scp/sftp/rsync.

Answer:

Note, this procedure is only possible for users with root access to the machine such as with a VPS or Dedicated Server. This is not possible with shared hosting accounts. (such as the GrokThis.net Advanced or Traditional accounts)

1. First, install scprsynconly or scponly. My examples below use scprsynconly.
   
2. Install fakechroot, a dynamically linked busybox and a statically linked busybox.
   
3. Create a chroot containing the scp, sftp-server, and rsync binaries. (or any combination thereof if you wish to restrict access to one of these). I used "makejail" with the following configuration (for rsync only)

   chroot="/home/myuser/rsync-chroot"
   testCommandsInsideJail=["rsync","scprsynconly","busybox-dynamic"]
   processNames=["rsync","scprsynconly","busybox-dynamic"]
   

4. Edit /etc/ssh/sshd_config, adding "PermitUserEnvironment yes".
   

   WARNING: This can be a security risk. This procedure should limit that risk when using our custom shell, but this could be an issue if you have other SSH users on the machine.

5. For each user you wish to grant access, collect from them a public SSH key, placing their keys into /home/myuser/.ssh/authorized_keys. Each key should specify the directory to which they will be jailed: envrionment="SAFE_CHROOTDIR=/home/myuser/my_friends/johndoe". Example: (actual key abbreviated)
   

   environment="SAFE_CHROOTDIR=/home/myuser/my_friends/eric" ssh-rsa AAAAB3NzaC1k0= eric.windisch

6. Inside each "SAFE_CHROOTDIR", mount-bind the chroot directory readonly as '.chroot'. You can do this as root with 'mount --bind', or as I have, with FUSE's bindfs which allowed me to do this directly as user 'myuser'.
7. Create the following script as "scprsynconly-wrapper", and set this as the shell for user "myuser".
   

    #!/bin/busybox-static sh
   /bin/busybox-static env - \
           PATH="/.chroot/bin:/.chroot/usr/bin:/usr/bin:/bin" \
           /usr/bin/fakechroot -s /usr/sbin/chroot "$SAFE_CHROOTDIR" \
           "$SAFE_CHROOTDIR/.chroot/usr/bin/scprsynconly" "$@"
   

8. To preven downloads of the .chroot directory, move /home/myuser/rsync-chroot/usr/bin/rsync to rsync.real and create a shell script called 'rsync' (mode 755):
   

   #!/.chroot/bin/busybox-dynamic sh
   .chroot/usr/bin/rsync.real --exclude /.chroot $@

9. Now, simply do from your client machine:
   

   rsync -e ssh -a myuser@myhost:/ dest_dir/