HPE Community
Operating System - HP-UX
1753448 Members
6109 Online
108794 Solutions
New Discussion юеВ

SSH Without SFTP

 
SOLVED
Go to solution
Brahnda Eleazar
Frequent Advisor

тАО07-04-2007 01:50 PM

тАО07-04-2007 01:50 PM

SSH Without SFTP

Peace all,

Is there any way I can give a user to SSH but not to SFTP? I can give SFTP access without SSH, but I'm not quite sure of the reverse.

Usually, in my environment, some of the users are given telnet access but no FTP. So, when it was changed to use SSH, the SFTP connection should also be restricted for some users. And since FTP is different from SFTP, I don't quite know where to look here.

Can someone enlighten me? :)

Thanks,
=adley=
0 Kudos
4 REPLIES 4
Brahnda Eleazar
Frequent Advisor

тАО07-04-2007 01:53 PM

тАО07-04-2007 01:53 PM

Re: SSH Without SFTP

Oh, I'm using 11.11 and 11.23

0 Kudos
Matti_Kurkela
Honored Contributor

тАО07-04-2007 06:51 PM

тАО07-04-2007 06:51 PM

Solution

Re: SSH Without SFTP

SFTP server side is implemented in OpenSSH (including HP's SSH for HP-UX) by a separate sftp-server binary. It is located in /opt/ssh//libexec/sftp-server.

To make the file access permissions work as expected, sshd starts this process using the user's identity (username & groups) after the authentication is completed.

By making the sftp-server binary not executable by some users, you could disable SFTP for them. Or you could build a wrapper for sftp-server that makes any checks you want before invoking the real sftp-server.
Use the "Subsystem" keyword in the sshd_config file to make sshd start your wrapper instead of the real sftp-server.

Note that this won't be a strong protection, but more like a way to "keep honest people honest". A person with sufficient UNIX knowledge will easily find a way to transfer a file regardless, if you don't use some sort of a restricted shell in addition to SFTP disabling.

Consider this:

tar cf - somedir | ssh somehost "cd /tmp; tar xvf -"

MK
MK
0 Kudos
Ralph Grothe
Honored Contributor

тАО07-04-2007 07:29 PM

тАО07-04-2007 07:29 PM

Re: SSH Without SFTP

I think he wants it the other way round,
viz. allow someone who mustn't login via ssh to still be able to do sftp transfers.
Honestly, I don't know if this is configerable at all since, as I understand it, ssh's facility to also grant secure ftp is merely a concession for ftp-stubborn users who are reluctant to learn the little how to use the ssh command.
As matti mentioned, sftp seems completely redundant because you always can copy files like this (read/write permissions of source and target provided)

$ ssh me@remote 'cat > /my/remote/target' < /my/local/source

The AllowUser or DenyUser directives in sshd_config most likely can only be used to fend of certain users completely from using ssh (sftp included).
Madness, thy name is system administration
0 Kudos
Brahnda Eleazar
Frequent Advisor

тАО07-04-2007 11:09 PM

тАО07-04-2007 11:09 PM

Re: SSH Without SFTP

Peace,

Matti's solution is what I'm looking for.
Well, it's not perfect I know, but it's good enough.

=adley=
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.