search

KatherLab / swarm-learning-hpe

Experimental repo for Odelia project based on HPE platform. This repo contains multiple models for histopathology and radiology training.
MIT License
12 stars 1 forks source link

Verify if a certain dir(private dataset) can be protected when allowing others to ssh to your laptop #36

Open Ultimate-Storm opened 1 year ago

Ultimate-Storm commented 1 year ago

To protect a certain directory when allowing others to SSH to your laptop, you can use file permissions to restrict access to that directory.

Here are the steps to follow:

Create a new user account for the person you want to allow SSH access to your laptop. You can do this by running the following command in your terminal:

sudo adduser <username>

Switch to the new user account by running the following command:

su <username>

Create a new directory for the person to access, and change its ownership to the new user account:

mkdir <directory>
chown <username>:<username> <directory>

Change the permissions of the directory to allow only the owner to read, write, and execute:

chmod 700 <directory>

Edit the SSH server configuration file (/etc/ssh/sshd_config) to allow the new user account to SSH into your laptop. Add the following line to the end of the file:

AllowUsers <username>

Restart the SSH service to apply the changes:

sudo service ssh restart

Now, when the person you have allowed to SSH into your laptop logs in, they will only have access to the specified directory and will not be able to access any other parts of your system.

kevinxpfeiffer commented 1 year ago

Suggestion workaround: Create new user only for sharing:

sudo adduser swarm-share

Make opt folder only accessible for root and swarm group:

sudo chmod 700 /opt/hpe
sudo addgroup swarm-group
sudo usermod -aG swarm-group swarm
sudo chgrp -R swarm-group /opt/hpe
sudo chmod 770 /opt/hpe

Then copy the certificate from swarm to swarm-share and use normal scp with ssh to swarm-share :)

Ultimate-Storm commented 1 year ago

Another option:

To restrict a Linux account to only allowed commands (scp, sftp, rsync) and disallow ssh access, you can follow these steps:

Create a new group for the restricted account: sudo groupadd restricted_group Add the restricted user to the new group: sudo usermod -a -G restricted_group restricted_user Create a new shell script in the restricted user's home directory:

sudo nano /home/restricted_user/restricted_shell.sh In the script, add the following lines:

#!/bin/bash
case "$1" in
    scp|sftp|rsync)
        $1 $2 $3 $4 $5
        ;;
    *)
        echo "This account is restricted to only scp, sftp and rsync commands"
        exit 1
        ;;
esac

Save and close the file.

Make the script executable:

sudo chmod +x /home/restricted_user/restricted_shell.sh Change the restricted user's shell to the new script:

sudo usermod -s /home/restricted_user/restricted_shell.sh restricted_user Test the restricted account by trying to log in via SSH. SSH access should be disallowed and only scp, sftp, and rsync commands should be allowed. Note: It's important to thoroughly test the restricted account to ensure that it meets your security requirements.

swag-bmbf commented 2 weeks ago

the certs etc. could also provide the files as docker volume in a separate (non-priviledged) docker container running openssh server (e.g. for the tailscale docker images this is already included). It has some other benefits of healthchecks, automated restart (autohealing) if wanted etc.