System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

sftp prompt only No login shell

SOLVED
Go to solution
chindi
Respected Contributor

sftp prompt only No login shell

Hi ,

 

 we need to give sftp prompt only for  a user , he should not be able to login ( using shell ) Port22  .

Its a reqmnt raised by our Network team that they cant allow port 22 to be opened from external world to our servers.

Hpux 11.31 .

 

 

11 REPLIES
Patrick Wallek
Honored Contributor

Re: sftp prompt only No login shell

>> ... they cant allow port 22 to be opened from external world

 

So how are you going to get SFTP to work?  It uses port 22 as well.

chindi
Respected Contributor

Re: sftp prompt only No login shell

I mean port 22 is fine if i jail root such that only sftp prompt will be available .

No user from outside world must be able to get login prompt  for that IP .

Dennis Handly
Acclaimed Contributor

Re: sftp prompt only No login shell

Have you set the user's shell to sftp?

Steven Schweda
Honored Contributor

Re: sftp prompt only No login shell

> Have you set the user's shell to sftp?

   I know nothing, but I don't think that it works that way.  I believe
that SCP, SFTP, and so on all start with the basic SSH daemon (sshd),
and then switch to a service-specific sub-program.  So, to modify this
stuff, you need to modify the configuration of the sshd (typically by
modifying an sshd configuration file).

> [...] they can[']t allow port 22 to be opened from external world to
> our servers.

   I would not allow an external port 22 to connect to anything, because
there are too many attack programs out there which try to break in on
port 22.  So, first, choose a port number different from 22.  Then, if
you still want to allow access to SFTP only (no shell), you can take
more steps.  I've never done it, so I've never done it on HP-UX, and
I've especially never done it using your (mystery) version of the HP
Secure Shell software (or OpenSSH, or whatever you're using), so I know
nothing, but a Web search for keywords like, say:

 

      sftp only no shell hp-ux


may find some more useful information.

chindi
Respected Contributor

Re: sftp prompt only No login shell

Hi Team ,

 

How do we achieve it ?

 

Checked following link ;

 

http://h30499.www3.hp.com/t5/Security/sftp-sessions-and-usr-bin-false/td-p/3974355#.VaX1kvmUdno

But it looks like in end it was not able to meet the expectation .

 

 

Bill Hassell
Honored Contributor
Solution

Re: sftp prompt only No login shell

I always disable ssh/scp/sftp from using port 22. As Steven mentions, this port is massively attacked from the big bad Internet all the time. Instead, I recommend port 36 since it isn't mentioned as a well known port:

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

 

The simplest way to have a dedicated sftp user (with no shell) is to give the user an sftp wrapper script as their shell. As a standard wrapper, it would disable any breakout signals, and simply run sftp -P 36 which implies that the remote side is also running the ssh daemon on port 36.



Bill Hassell, sysadmin
chindi
Respected Contributor

Re: sftp prompt only No login shell

Hi Bill,

 

Where do we mention port 36 as scp/sftp port ?

Bill Hassell
Honored Contributor

Re: sftp prompt only No login shell

There is a handy guide on all HP-UX systems called man pages.

 

man sftp

 

It is the -P option as in sftp -P 36

 

Do you need a sample wrapper script and how to use it?

 

Note that the remote end must also be configured for port 36 in the sshd_config file.



Bill Hassell, sysadmin
Bill Hassell
Honored Contributor

Re: sftp prompt only No login shell

NOTE: My sftp wrapper script example is for starting an sftp session to a remote system.

 The remote end will need a lot more setup, but HP has a nice document for this:

http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c01516983&sp4ts.oid=3553037

 



Bill Hassell, sysadmin
Steven Schweda
Honored Contributor

Re: sftp prompt only No login shell

> Note that the remote end must also be configured for port 36 in the
> sshd_config file.

   Where "remote end" refers to the server?  (As I read it, the
_clients_ were the "remote" ones.)

   Or "our Network team" can arrange appropriate port forwarding, so
that the external clients use one port (like, say, 36), and the internal
server uses the default port (22).

   As I learned after a recent DSL upgrade, many common (cheap, home)
routers can't do this, but any place with a "Network team" should have a
router which can.

chindi
Respected Contributor

Re: sftp prompt only No login shell

Thanks Bill & Steven