I’m interested in using an application that wants a ssh key to push files over SFTP to my TrueNAS Scale box. I’d like to do as much as I can on the NAS to constrain the account/keypair to only be able to upload files, and only to the directory specified.
Looking over existing forum posts, I see some descriptions of modifying sshd_config to lock accounts to only their home directory, and that this requires root/wheel owning all of the directories in the path. I would like a different solution, if it exists.
Did you set the shell for this “restricted account” to “scponly”? (This can be done in the user’s config page.)
I believe this will give the user access to SSH/SFTP, pushing keys, uploading and downloading files, transferring over Rsync, etc, but the user will not be allowed to login to a terminal session.
scponly was removed from Debian 12 years ago. Don’t know why, maybe security? We could look at enabling alternatives, but maybe a good feature request to gauge how many others miss that option?
This is my self portrait. Thanks for embarrassing me in front of all these people.
I don’t believe so? I think nologin will not even allow scp, SFTP transfers, Rsync over SSH, and other transfers over SSH. It will simply reject any commands from the user.
I remember I had to explicitly use “scponly” to do what the OP is suggesting, for my own use-case. (Transfering, without the need to allow shell access.)
I gave it a shot. Created a new user with password auth disabled, shell set to nologin, with home directory, and with an authorized key. sftp didn’t seem to work.
Thanks for the suggestion. That looks like it could work, but I’d like to avoid the root:wheel path requirements, and locking all other sftp users into their home directories.
So it seems like you can achieve this with ‘nologin’ selected however you would need to add the following to the Auxiliary Parameters in the SSH service.
