Re: Allow SFTP sessions and refuse interactive SSH access for some users.

From: Mikhail Teterin (usenet_at_aldan.algebra.com)
Date: 05/12/04

  • Next message: Mikhail Teterin: "Re: From .p12 to OpenSSH and SSH keys?"
    Date: Wed, 12 May 2004 17:20:16 -0400
    
    

    Darren Tucker wrote in <c7p8q4$60j$1@gate.dodgy.net.au>:

    > In article <1114404.vpb6o1qevP@Misha>,
    > Mikhail Teterin <usenet@aldan.algebra.com> wrote:
    >>Ed wrote in <95383172.0402180439.4e0dcb7c@posting.google.com>:
    >>
    >>> Somebody knows if it is possible to allow some users to be able to
    >>> connect on an SSH server in SFTP mode and denying access to these same
    >>> users when they use SSH interactive mode (i.e. allowing only SFTP
    >>> session for some particular user) ?
    >>
    >>How about changing that user's login shell to /sbin/nologin
    >>or /usr/bin/false or /nonexistant?

    > No, that won't work (with OpenSSH, anyway). sshd checks that the user's
    > shell is valid (ie listed in /etc/shells) before a login is permitted
    > and the shell is used to exec sftp-server.

    Yes, I found that out now. But setting the user's shell
    to /usr/libexec/sftp-server seems to work (may need to list it
    in /etc/shells too). Note, that scp will not work this way -- sftp only...

            -mi


  • Next message: Mikhail Teterin: "Re: From .p12 to OpenSSH and SSH keys?"

    Relevant Pages

    • Re: ssh and initial directory
      ... On 2005-04-05, Darren Tucker wrote: ... Hmm, on second thought, escaping $SHELL will cause it to be expanded ... on the server and thus you'll always get whatever your login shell on ... Good judgement comes with experience. ...
      (comp.security.ssh)
    • Re: Disallow command parameters from ssh connection
      ... >And don't let him change his shell. ... Darren Tucker (dtucker at zip.com.au) ... Good judgement comes with experience. ...
      (comp.security.ssh)
    • SUMMARY: Non-interactive sftp
      ... whilst not allowing an interactive shell for this use. ... I had neglected to consider that sftp is simply an ssh subsystem - ... All of my research has led me to believe this is a permissions ... permissions on the mount-point where the destination filesystem ...
      (SunManagers)
    • Re: SSH
      ... SFTP and SCP all go to port 22 by default? ... Don't you just love that unix command line uniformity? ... No, but if you must play with Unix, you must either live with the shell ...
      (comp.os.vms)
    • Re: Chrooted sftp setup accessible with psftp, but not sftp
      ... how is this shell created? ... subsystem request for sftp ... Please either post your entire config (or reduce your config to a subset ... Now that I know psftp is doing special stuff to get a 'sftp' session ...
      (SSH)