< Billy Overton >

Programmer / Technology Consultant

Automating Backup Downloads With WinSCP

Posted 2013-10-02 | Billy Overton

On the Server

The first thing I did was create a user that handles nothing else but the copying of backups. While I could have used an account that already exists, I decided to create an account that I could restrict as much as possible.

addusers -s /usr/sbin/nologin backup_user

The -s /usr/sbin/nologin option changes the default shell so that this user does not have shell access and creates a little extra security. Since it was not already there on my Debian install, I added /usr/sbin/nologin to the /etc/shells file.

For my purposes, the backup_user was only used for copying backups from my server to my Windows desktop. As such, I decided to limit it to only using ssh for sftp. To do this, I added the following lines to the \etc\ssh\sshd_config file:

Subsystem sftp internal-sftp
Match user backup_user
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpFowarding no
    ForceCommand internal-sftp
Match

I also commented out all other lines that referenced Subsystem sftp.

The ChrootDirectory %h option locks the user to their home directory. Because of the way SSH’s chroot works, the directory it uses must by wholly owned by root, and can only be writable by root. The command below takes care of that for my backup_user’s home directory.

chown root:root /home/backup_user

On the Client/Desktop

First I created a SSH key without a password for the backup_user. This makes it so I can run this automatically in the background without user intervention. This key without a password is the main reason I placed so many limitations on the backup_user’s account and ssh access.

I also created a WinSCP script for transferring backups from the server that used the above ssh key. I saved it as C:\backup.txt to make the command line entry easier.

option batch abort
option confirm off
option echo off
open sftp://backup_user@example.com -privatekey="C:\backup_key.ppk"
synchronize local -criteria=none ""
exit

The script can be ran with WinScp with the command-line parameter /script="C:\backup.txt" to automatically copy documents from the remote directory to the local one. I created a Scheduled Task to run the above once a week.