topic Re: SSH and Secure FTP (SFTP) in Operating System - HP-UX

SSH and Secure FTP (SFTP)

CharliePuyol — Fri, 05 Jun 2009 15:36:29 GMT

It looks like that ssh and sftp are bonded. But I need some hosts to use the ssh only, and some hosts use ssh and sftp.

Is there a way to implement that? How?

Re: SSH and Secure FTP (SFTP)

Patrick Wallek — Fri, 05 Jun 2009 15:52:31 GMT

I'm not sure I understand what you are looking for.

Yes, SSH and SFTP utilize the same network port and both are part of the SSH package.

I don't quite understand what you mean when you say "...I need some hosts to use the ssh only, and some hosts use ssh and sftp."

Are you saying you want some hosts to only allow ssh connections into them and NOT sftp, and other hosts allow both ssh and sftp connection?

If that is the case you might be able to do something with the "subsystem" configuration option of the sshd_config file. See 'man sshd_config' for more information.

Re: SSH and Secure FTP (SFTP)

CharliePuyol — Fri, 05 Jun 2009 15:57:09 GMT

Yes, from one host ssh and sftp. And on the other host is just ssh.

Re: SSH and Secure FTP (SFTP)

Patrick Wallek — Fri, 05 Jun 2009 15:59:24 GMT

I just did a quick test on one of my Linux servers and modifying the 'subsystem' section of sshd_config can prevent sftp logins.

Here's what I did:

Found the sshd_config file (You will have to look for yours)

Edit the sshd_ocnfig file in vi

Look for the "subsystem" section. The file should contain a section similar to this:

# override default of no subsystems
Subsystem sftp /usr/lib64/ssh/sftp-server

This tells sshd to start the sftp-server program when it received sftp requests. Comment out the 'subsystem' line so it looks like:

# override default of no subsystems
#Subsystem sftp /usr/lib64/ssh/sftp-server

Then save the file and stop and restart the SSH daemon.

Now when you SFTP you should get something like:

$ sftp hqtas14t
Connecting to hqtas14t...
Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer

On the servers that need sftp to work, don't change the sshd_config file and it should stay working.

Re: SSH and Secure FTP (SFTP)

Patrick Wallek — Fri, 05 Jun 2009 16:01:43 GMT

Are you talking about OUTGOING or INCOMING connections.

Above you said "from one host" and "on the other host."

So do you mean you don't want people to EXECUTE SFTP on "the other host?"

If that is the case, you could remove execute permissions from SFTP, or write a wrapper script that disallows SFTP.

Re: SSH and Secure FTP (SFTP)

CharliePuyol — Fri, 05 Jun 2009 16:10:49 GMT

Incoming, the escenario is the following:

One HP-UX 11.11 server got Secure Shell Installed.

One PC needs to access to the HP-UX server using ssh and transfer files by Secure FTP

Other PC needs to access to the HP-UX server using ssh, but no need of Secure FTP (must be disabled).

Re: SSH and Secure FTP (SFTP)

Patrick Wallek — Fri, 05 Jun 2009 17:34:51 GMT

>>Other PC needs to access to the HP-UX server using ssh, but no need of Secure FTP (must be disabled).

This is a bird of a different color......

I do not know if there is a way to allow incoming ssh and sftp from one PC, but allow ssh only from another PC.

For the 2nd PC, you could just rename the sftp executable.