Is it possible to restrict scp access to specific directories, similar to NFS or Samba?
Yes it is.
I installed MySecureShell, and set the login shell to /usr/bin/MySecureShell in /etc/passwd.
I have tested sftp, scp, and ssh.
sftp and scp restrict the user to the home directory.
ssh fails for lack of a login shell.
https://mysecureshell.readthedocs.io/en/latest/
Hello,
It's good that you've found a solution - well done, and thank you for sharing that here for others who may have the same or a similar question in the future.
Personally I'm not familiar with MySecureShell, so I can't really add much to what you've already said regarding it. Myself, in the past when I've needed to lock down SCP users I've gone down the road of setting up a chroot'd environment within which sshd is then configured to lock the users to specific per-user home directories, to prevent them wandering outside of that chroot. This can be done without adding any third-party software, and only using the native components provided by OpenSSH and your Linux/UNIX distro itself.
MySecureShell certainly seems like a simpler solution from an installation and configuration standpoint, and if it works for you, then that's great. One thing to keep in mind, however, is that whenever you add an additional piece of software or extra layer of complexity on to a solution, you always increase the chance of something going wrong someday if one part of that stack develops an issue (such as a security exploit, or bug being uncovered that can impact service or availability). Something to keep in mind, but as I say, if this works for you and does what you need it to, then that's great, and once again, thanks for sharing your solution with the community.
1 Like
Yes there are many ways to accomplish this kind of task.
If it was me, based on the short description, I would simply create a user and just set up the proper permissions for that user id without adding more layers of software to the solution stack.