topic Re: Disable ssh but enable sftp for certain users? in Operating System - HP-UX

Disable ssh but enable sftp for certain users?

Geoff Wild — Mon, 10 Apr 2006 15:12:36 GMT

Is there a way to configure ssh so that certain users have sftp only?

I know with the security product I'm using allows that granularity - but what about vanilla openssh and/or HP Secure Shell?

The only option I see is to chroot the users...which isn't a bad idea at all...

http://www.brandonhutchinson.com/chroot_ssh.html

Rgds...Geoff

Re: Disable ssh but enable sftp for certain users?

Steven E. Protter — Mon, 10 Apr 2006 15:30:23 GMT

Shalom Geoff,

Let me propose a very simple way.

user and group permissions.

Create a group called sftpusers

Add the chosen users to the group who will be permitted sftp

Change ownership of sftp to the group, or make only sftpusers and root capable of executing the file.

Sounds to me like chroot is more fun, but group permissions would also work if chroot is not an option.

SEP

Re: Disable ssh but enable sftp for certain users?

Jannik — Mon, 10 Apr 2006 15:44:57 GMT

Hey Geoff

I don't know if this is what you are looking for, but U can add restrictions to the authorized_keys file.
from="server.domain.id",no-pty,command="scp -f /home/cfg2html/*cfg.html" ssh-dss AAAAB3Nz...user@server

This would not allow other things than to cofy one specific file to a specific server. Even if you try something else it will rewrite the command and only copy that file.

Regards,
Jannik

Re: Disable ssh but enable sftp for certain users?

Ivan Ferreira — Mon, 10 Apr 2006 16:43:00 GMT

I did this once, but I don't remember exactly, I think that is like this:

Create a script called /usr/local/sbin/ssh-dummy-shell, it should look like this:

if [ "$SSH_ORIGINAL_COMMAND" = "/usr/libexec/openssh/sftp-server" ]
then
/usr/libexec/openssh/sftp-server
else
echo "Restricted"
fi

Edit the user's authorized_keys file and add the following before the key:

command="/usr/local/sbin/ssh-dummy-shell"

Re: Disable ssh but enable sftp for certain users?

Prashant Zanwar_4 — Mon, 10 Apr 2006 17:00:27 GMT

Chroot, and then copy that binary in user path which you want them to execute. .

chroot is ssh-dummy-shell as user's shell..

and configure

ChRootUsers fgmacuwc,fgmacr3,fgmacre

Line in sshd2_config in /etc/ssh2..

Hope this helps
Tx
Prashant

Re: Disable ssh but enable sftp for certain users?

Prashant Zanwar_4 — Mon, 10 Apr 2006 17:00:58 GMT

Re: Disable ssh but enable sftp for certain users?

Prashant Zanwar_4 — Mon, 10 Apr 2006 17:04:25 GMT

ChRootUsers will continue with your user names instead.. and sshd you have to restart once or a HUP is enough
Tx
Prashant

Re: Disable ssh but enable sftp for certain users?

Denver Osborn — Mon, 10 Apr 2006 17:36:30 GMT

Have you considered changing the users shell to /opt/ssh/libexec/sftp-server

-denver

Re: Disable ssh but enable sftp for certain users?

Geoff Wild — Tue, 11 Apr 2006 12:56:43 GMT

Looks like chroot is the most secure way to go.

Even with changing a user's default shell to sftp - they can still navigate anywhere on the server...

Thanks for all the answers...

Rgds...Geoff

Re: Disable ssh but enable sftp for certain users?

Patrick Sweeney (PAC) — Tue, 06 Jun 2006 11:14:20 GMT

Geoff -

You might take a look at scponly. It secures transfers to a chrooted jail without having to give a full-blown SSH login. We've been using it for a few years now.

http://www.sublimation.org/scponly/

8-)

- Patrick