Re: openssh: Enabling sftp, but disabling ssh?

Benjamin Donnachie wrote:
Mark Holden wrote:
Does anybody know if it's possible, using openssh, to allow file
transfer to/from a machine, using sftp, for a specific userid, and
disallow ssh login/remote command execution for that same userid? Other
userids on the machine should be unaffected.

I do exactly that on my system; you can't achieve it with OpenSSH alone
and need to use a helper allocation such as either scponly[1] or rssh[2].

In the next release of OpenSSH (4.4, ETA "soon") you can by combining the new "Match" and "ForceCommand" directives:

Match User sftponly
AllowTcpForwarding no
X11Forwarding no
ForceCommand /usr/libexec/sftp-server -l INFO

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Relevant Pages