From: Derek Martin (code_at_pizzashack.org)
Date: Wed, 6 Aug 2003 13:18:34 -0400 To: firstname.lastname@example.org
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Aug 05, 2003 at 10:46:37AM -0700, Ranjeet Shetye wrote:
[My earlier comments snipped]
> >The problem here is that when you sftp to a host, sshd starts a copy
> >of the user's shell, with the command-line options appropriate for
> >running sftp-server, the server-side portion of sftp. Essentially:
> > /path/to/shell -c /path/to/sftp-server
> >Your version of a shell will not allow this to work.
> what about just using a simple "/bin/false" for the login shell for
> user ids that I dont want to log in but which I setup for sFTP ? that's
This will work fine if you want to completely disable the account, but
it will NOT work if you want to allow sftp, for exactly the same
reasons as stated above. For sftp/scp to work, the user's shell MUST
allow the execution of commands, and MUST accept the -c option to
specify what command to run.
If you need this, you'll want to use something like rssh:
rssh mimics the functionality of a normal shell, but only allows the
execution of scp and/or sftp-server, depending on how you configure
it. Any other method besides that used by rssh will simply not work.
Another program which works (which does basically the same thing as
rssh) is scponly.
Derek D. Martin
GPG Key ID: 0xDFBEAD02
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----