>> I created the backup users and everything works as long as the backup >> users have shells on the backup server and are listed in AllowUsers in >> /etc/ssh/sshd_config on the backup server. Did I do something wrong >> or should the backup users need shells and to be listed in AllowUsers? > > I'm not too familiar with rsync backups. A shell might be required, but if you > set the command run on the server-side in the "authorized_keys" it should > prevent any other command from being run.
I'm actually talking about rdiff-backup. I'm prompted for a password if the backup user doesn't have a shell. Are you able to rdiff-backup without a shell on the backup server? >> Should I set up any extra restrictions for them in sshd_config? > > I have disabled all password-logins and only allow shared-key logins. I want to be prompted for a password with my normal user but I want the backup users to be restricted. I tried 'ChallengeResponseAuthentication no' within a Match block for a backup user but ChallengeResponseAuthentication isn't allowed in a Match block. Are my options to restrict all users or none? - Grant
