HPE Community
Operating System - HP-UX
1834395 Members
1690 Online
110066 Solutions
New Discussion

Disable ssh but enable sftp for certain users?

 
Geoff Wild
Honored Contributor

‎04-10-2006 08:12 AM

‎04-10-2006 08:12 AM

Disable ssh but enable sftp for certain users?

Is there a way to configure ssh so that certain users have sftp only?

I know with the security product I'm using allows that granularity - but what about vanilla openssh and/or HP Secure Shell?

The only option I see is to chroot the users...which isn't a bad idea at all...

http://www.brandonhutchinson.com/chroot_ssh.html

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
9 REPLIES 9
Steven E. Protter
Exalted Contributor

‎04-10-2006 08:30 AM

‎04-10-2006 08:30 AM

Re: Disable ssh but enable sftp for certain users?

Shalom Geoff,

Let me propose a very simple way.

user and group permissions.

Create a group called sftpusers

Add the chosen users to the group who will be permitted sftp

Change ownership of sftp to the group, or make only sftpusers and root capable of executing the file.

Sounds to me like chroot is more fun, but group permissions would also work if chroot is not an option.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Jannik
Honored Contributor

‎04-10-2006 08:44 AM

‎04-10-2006 08:44 AM

Re: Disable ssh but enable sftp for certain users?

Hey Geoff

I don't know if this is what you are looking for, but U can add restrictions to the authorized_keys file.
from="server.domain.id",no-pty,command="scp -f /home/cfg2html/*cfg.html" ssh-dss AAAAB3Nz...user@server

This would not allow other things than to cofy one specific file to a specific server. Even if you try something else it will rewrite the command and only copy that file.

Regards,
Jannik
jaton
0 Kudos
Ivan Ferreira
Honored Contributor

‎04-10-2006 09:43 AM

‎04-10-2006 09:43 AM

Re: Disable ssh but enable sftp for certain users?

I did this once, but I don't remember exactly, I think that is like this:

Create a script called /usr/local/sbin/ssh-dummy-shell, it should look like this:

if [ "$SSH_ORIGINAL_COMMAND" = "/usr/libexec/openssh/sftp-server" ]
then
/usr/libexec/openssh/sftp-server
else
echo "Restricted"
fi

Edit the user's authorized_keys file and add the following before the key:

command="/usr/local/sbin/ssh-dummy-shell"
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Prashant Zanwar_4
Respected Contributor

‎04-10-2006 10:00 AM

‎04-10-2006 10:00 AM

Re: Disable ssh but enable sftp for certain users?

Chroot, and then copy that binary in user path which you want them to execute. .

chroot is ssh-dummy-shell as user's shell..

and configure

ChRootUsers fgmacuwc,fgmacr3,fgmacre

Line in sshd2_config in /etc/ssh2..

Hope this helps
Tx
Prashant
"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."
0 Kudos
Prashant Zanwar_4
Respected Contributor

‎04-10-2006 10:00 AM

‎04-10-2006 10:00 AM

Re: Disable ssh but enable sftp for certain users?

Chroot, and then copy that binary in user path which you want them to execute. .

chroot is ssh-dummy-shell as user's shell..

and configure

ChRootUsers fgmacuwc,fgmacr3,fgmacre

Line in sshd2_config in /etc/ssh2..

But again user will be able to put any file under his home.. :-)

Hope this helps
Tx
Prashant
"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."
0 Kudos
Prashant Zanwar_4
Respected Contributor

‎04-10-2006 10:04 AM

‎04-10-2006 10:04 AM

Re: Disable ssh but enable sftp for certain users?

ChRootUsers will continue with your user names instead.. and sshd you have to restart once or a HUP is enough
Tx
Prashant
"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."
0 Kudos
Denver Osborn
Honored Contributor

‎04-10-2006 10:36 AM

‎04-10-2006 10:36 AM

Re: Disable ssh but enable sftp for certain users?

Have you considered changing the users shell to /opt/ssh/libexec/sftp-server

-denver

0 Kudos
Geoff Wild
Honored Contributor

‎04-11-2006 05:56 AM

‎04-11-2006 05:56 AM

Re: Disable ssh but enable sftp for certain users?

Looks like chroot is the most secure way to go.

Even with changing a user's default shell to sftp - they can still navigate anywhere on the server...

Thanks for all the answers...

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Patrick Sweeney (PAC)
New Member

‎06-06-2006 04:14 AM

‎06-06-2006 04:14 AM

Re: Disable ssh but enable sftp for certain users?

Geoff -

You might take a look at scponly. It secures transfers to a chrooted jail without having to give a full-blown SSH login. We've been using it for a few years now.

http://www.sublimation.org/scponly/

8-)

- Patrick

"Do or do not. There is no try." - Yoda
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.