Automating Backup Downloads With WinSCP
On the Server
The first thing I did was create a user that handles nothing else but the copying of backups. While I could have used an account that already exists, I decided to create an account that I could restrict as much as possible.
-s /usr/sbin/nologin option changes the default shell so that this user does not have shell access and creates a little extra security. Since it was not already there on my Debian install, I added
/usr/sbin/nologin to the
For my purposes, the backup_user was only used for copying backups from my server to my Windows desktop. As such, I decided to limit it to only using ssh for sftp. To do this, I added the following lines to the
I also commented out all other lines that referenced Subsystem sftp.
ChrootDirectory %h option locks the user to their home directory. Because of the way SSH’s chroot works, the directory it uses must by wholly owned by root, and can only be writable by root. The command below takes care of that for my backup_user’s home directory.
On the Client/Desktop
First I created a SSH key without a password for the backup_user. This makes it so I can run this automatically in the background without user intervention. This key without a password is the main reason I placed so many limitations on the backup_user’s account and ssh access.
I also created a WinSCP script for transferring backups from the server that used the above ssh key. I saved it as
C:\backup.txt to make the command line entry easier.
The script can be ran with WinScp with the command-line parameter
/script="C:\backup.txt" to automatically copy documents from the remote directory to the local one. I created a Scheduled Task to run the above once a week.