Re: Howto deny a sftp connection

On 2006-01-19, Tom <teeeelo@xxxxxxxxxxxxxx> wrote:
> this is exactly the topic I have questions about.
> For me I want to archieve, that users can connect to the server by ssh
> but that they cannot transfer files from that server.

If you're allowing shell access then it's basically impossible to stop
a determined user transferring files, see below.

> Thats why I want to stop and deny all sftp and scp connections.
> Okay, the sftp subsystem is easily to stop by editing the sshd_config.

Unless you remove permissions from sftp-server too, users can still run
sftp over a shell channel as Richard mentioned.

> Is it somehow possible to control the scp function by pam.d? note: I
> don't want to deny ssh.

No, neither scp nor sftp check PAM.

You can block naive users by setting the permissions on the scp binary
(eg make it mode 750 with a group "scpusers", then put anyone allowed to
run it in that group) but that won't stop someone copying an scp binary
into, eg, $HOME/bin and using that.

Even if you managed to block scp and sftp perfectly, since you're allowing
shell access, files can be transferred trivially using shell output
redirects (ie ssh yourserver "cat file" >file or a gazillion variations

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.