scp only key authentication?

From: Doug O'Leary (
Date: 04/13/04

Date: Tue, 13 Apr 2004 20:53:09 GMT

Hey, all;

I'm working with a client that's running openssh 3.7.1. They have a need
for one designated account to use public/private key authentication to
scp a file from a server to a client.

The client's philosophy is that public/private key authentication is a
trust relationship - similiar in scope to a trust relationship using
UNIX r-commands. That's obviously not quite true; however, the client
is very happy and, so far, very successful operating under that
philosophy so changing it isn't an option.

They would like to limit the public/private key authenticated access
to scp (and only scp) one particular file. In other words, the
account in question won't be able to get a terminal session, shell
prompt using ssh - and it would only be able to scp the one file
down from the server, not put anything, not get anything else.

I haven't heard of anyone even attempting this level of restriction
using public/private key authentication. My first thought was to
use the command option in the authorize_keys2 file; however, haven't
gotten much further than the pondering stage.

Does anyone know of a cleaner/brighter way of implementing this type
of restriction to scp and P/P key authentication?

Thanks for any hints/tips/suggestions.

Doug O'Leary

Senior UNIX Admin
O'Leary Computer Enterprises (w) 630-904-6098 (c) 630-248-2749