restrict "cross group" login access with authorized keys

[sbl...@gmail.com]

Operating system platform: RHEL 4, RHEL5, AIX 5.3, Solaris 8, Solaris
10

Our hosts now have 2 groups that are allowed remote login access via
SSH: one group contains real users, the 2nd group contains generic/
application accounts and will primarily be used to for scp/file
transfers.

Accounts from both groups are able to login to hosts via SSH either
via password authentication or key based authentication and this
currently works.

The reason for the groups is an attempt to prevent real users from
logging in to hosts using generic/application accounts.

Problem: how can we prevent real users in gruop A from a successful
login to accounts in group B if they install their public key to a
gruop B account authorized key file?

[Nico Kadel-Garcia]

There are two typical approaches. One is to use a restricted shell:
git does this. Another is to use the command settings of the stored
authorized_keys to restrict the permitted commands: this is typically
used for rsync.

But if you want file transfer as a separate technology, you might look
into WebDAV over HTTPS, which is web browser accessible, allows upload
with some clients, and works with SSL keys and other techniques.