- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: sftp prompt only No login shell
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2015 03:20 AM - edited 07-14-2015 03:20 AM
07-14-2015 03:20 AM - edited 07-14-2015 03:20 AM
Hi ,
we need to give sftp prompt only for a user , he should not be able to login ( using shell ) Port22 .
Its a reqmnt raised by our Network team that they cant allow port 22 to be opened from external world to our servers.
Hpux 11.31 .
Solved! Go to Solution.
- Tags:
- sftp
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2015 06:22 AM
07-14-2015 06:22 AM
Re: sftp prompt only No login shell
>> ... they cant allow port 22 to be opened from external world
So how are you going to get SFTP to work? It uses port 22 as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2015 07:12 AM
07-14-2015 07:12 AM
Re: sftp prompt only No login shell
I mean port 22 is fine if i jail root such that only sftp prompt will be available .
No user from outside world must be able to get login prompt for that IP .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2015 12:28 PM
07-14-2015 12:28 PM
Re: sftp prompt only No login shell
Have you set the user's shell to sftp?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2015 02:34 PM
07-14-2015 02:34 PM
Re: sftp prompt only No login shell
> Have you set the user's shell to sftp?
I know nothing, but I don't think that it works that way. I believe
that SCP, SFTP, and so on all start with the basic SSH daemon (sshd),
and then switch to a service-specific sub-program. So, to modify this
stuff, you need to modify the configuration of the sshd (typically by
modifying an sshd configuration file).
> [...] they can[']t allow port 22 to be opened from external world to
> our servers.
I would not allow an external port 22 to connect to anything, because
there are too many attack programs out there which try to break in on
port 22. So, first, choose a port number different from 22. Then, if
you still want to allow access to SFTP only (no shell), you can take
more steps. I've never done it, so I've never done it on HP-UX, and
I've especially never done it using your (mystery) version of the HP
Secure Shell software (or OpenSSH, or whatever you're using), so I know
nothing, but a Web search for keywords like, say:
sftp only no shell hp-ux
may find some more useful information.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2015 10:59 PM - edited 07-15-2015 12:17 AM
07-14-2015 10:59 PM - edited 07-15-2015 12:17 AM
Re: sftp prompt only No login shell
Hi Team ,
How do we achieve it ?
Checked following link ;
http://h30499.www3.hp.com/t5/Security/sftp-sessions-and-usr-bin-false/td-p/3974355#.VaX1kvmUdno
But it looks like in end it was not able to meet the expectation .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2015 05:48 AM - edited 07-15-2015 05:52 AM
07-15-2015 05:48 AM - edited 07-15-2015 05:52 AM
SolutionI always disable ssh/scp/sftp from using port 22. As Steven mentions, this port is massively attacked from the big bad Internet all the time. Instead, I recommend port 36 since it isn't mentioned as a well known port:
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
The simplest way to have a dedicated sftp user (with no shell) is to give the user an sftp wrapper script as their shell. As a standard wrapper, it would disable any breakout signals, and simply run sftp -P 36 which implies that the remote side is also running the ssh daemon on port 36.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2015 05:57 AM
07-15-2015 05:57 AM
Re: sftp prompt only No login shell
Hi Bill,
Where do we mention port 36 as scp/sftp port ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2015 06:06 AM - edited 07-15-2015 06:10 AM
07-15-2015 06:06 AM - edited 07-15-2015 06:10 AM
Re: sftp prompt only No login shell
There is a handy guide on all HP-UX systems called man pages.
man sftp
It is the -P option as in sftp -P 36
Do you need a sample wrapper script and how to use it?
Note that the remote end must also be configured for port 36 in the sshd_config file.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2015 06:49 AM - edited 07-15-2015 06:50 AM
07-15-2015 06:49 AM - edited 07-15-2015 06:50 AM
Re: sftp prompt only No login shell
NOTE: My sftp wrapper script example is for starting an sftp session to a remote system.
The remote end will need a lot more setup, but HP has a nice document for this:
http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c01516983&sp4ts.oid=3553037
Bill Hassell, sysadmin