The scponly program allows you to set the shell of a remote user so that they can copy files to the server using scp but cannot login using ssh. This is ideal for remote backups.
# install the scponly package
sudo apt-get install scponly
# create the scp user and set their login shell to be scponly
sudo useradd -m -s /usr/bin/scponly scpuser
# create the .ssh directory
sudo mkdir /home/scpuser/.ssh
# create a key pair
sudo ssh-keygen -f /home/scpuser/.ssh/id.rsa (no passphrase if used for automated backups)
# create the authorized_keys file using the public key
sudo cp /home/scpuser/.ssh/id.rsa.pub /home/scpuser/.ssh/authorized_keys
# correct the ownership (creating keys can't be done as scpuser as no login shell!)
sudo chmod 755 /home/scpuser/.ssh
sudo chmod 644 /home/scpuser/.ssh/authorized_keys
sudo chown -R scpuser:scpuser /home/scpuser
# finally move the private key off the server (e.g. onto a USB stick)
# mv /home/scpuser/.ssh/id.rsa /media/usb/keys/scp_id.rsa
sudo apt-get install scponly
# create the scp user and set their login shell to be scponly
sudo useradd -m -s /usr/bin/scponly scpuser
# create the .ssh directory
sudo mkdir /home/scpuser/.ssh
# create a key pair
sudo ssh-keygen -f /home/scpuser/.ssh/id.rsa (no passphrase if used for automated backups)
# create the authorized_keys file using the public key
sudo cp /home/scpuser/.ssh/id.rsa.pub /home/scpuser/.ssh/authorized_keys
# correct the ownership (creating keys can't be done as scpuser as no login shell!)
sudo chmod 755 /home/scpuser/.ssh
sudo chmod 644 /home/scpuser/.ssh/authorized_keys
sudo chown -R scpuser:scpuser /home/scpuser
# finally move the private key off the server (e.g. onto a USB stick)
# mv /home/scpuser/.ssh/id.rsa /media/usb/keys/scp_id.rsa