How to restrict users to SFTP only instead of SSH
Posted by hruske on Sun 13 Feb 2005 at 21:52
Sometimes you want to have users, that have access to files on your server, but don't want them to be able to log in and execute commands on your server.
This is done quite easily.
Add user as usually and assign him a password. Then run the following command (replace the 'username' with real user name):
root@host # usermod -s /usr/lib/sftp-server username
This changes user's shell to sftp-server.
The last step for this to work is to add '/usr/lib/sftp-server' to /etc/shells to make it a valid shell, eg. like this:
root@host # echo '/usr/lib/stfp-server' >> /etc/shells
There. Now you've setup a user who can only access your server with SFTP.
[ Parent | Reply to this comment ]
Thanks for article. cheers
sno
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
user can't login using the ssh-shell...
freD.
[ Parent | Reply to this comment ]
I thought it might by the !command feature, but that turns out to execute commands on the connecting side.
Someone else also mentioned the posibility of the user scping an authorized_keys file with a command specified in it. By setting the home directory to something like / this can be avoided.
[ Parent | Reply to this comment ]
Finally, I found the thread at http://ubuntuforums.org/showthread.php?t=451510 which told me to execute the following commands to get scponlyc to work on Debian Etch. This because sftp-server needs /dev/null to work and /dev/null isn't created by the setup_chroot.sh script distributed with scponlyc.
mkdir /home/username/dev
mknod -m 666 /home/username/dev/null c 1 3
[ Parent | Reply to this comment ]
Currently, I have a chroot jail with the repository bind-mounted in it, but this is difficult to maintain.
[ Parent | Reply to this comment ]
echo '/usr/lib/stfp-server' >> /etc/shells...should be...
echo '/usr/lib/sftp-server' >> /etc/shells
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
root@host # usermod -s /usr/lib64/ssh/sftp-server usernameand
root@host # echo '/usr/lib64/ssh/stfp-server' >> /etc/shellsbye TDT
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
So you can, for example, chmod 711 your /home directory so users will never know the names of the other accounts on the system. Should you share a folder amongst users, this is still possible but one must know the exact directory by name to get to it.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Not if you disable it in sshd_config....
[ Parent | Reply to this comment ]
user@web01:~/$ apt-cache search scponly
scponly - Restricts the commands available to scp- and sftp-users
user@web01:~/$ sudo apt-get install scponly
Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed
scponly
0 upgraded, 1 newly installed, 0 to remove and 108 not upgraded.
Need to get 34.3kB of archives.
After unpacking 180kB of additional disk space will be used.
Get: 1 http://ftp.us.debian.org etch/main scponly 4.6-1 [34.3kB]
Fetched 34.3kB in 0s (93.9kB/s)
Preconfiguring packages ...
Selecting previously deselected package scponly.
(Reading database ... 28911 files and directories currently installed.)
Unpacking scponly (from .../scponly_4.6-1_amd64.deb) ...
Setting up scponly (4.6-1) ...
user@web01:~/$ sudo adduser guest
Adding user `guest' ...
Adding new group `guest' (1005) ...
Adding new user `guest' (1004) with group `guest' ...
Creating home directory `/home/guest' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for guest
Enter the new value, or press ENTER for the default
Full Name []: Guest User
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [y/N] y
user@web01:~/$ sudo usermod -s /usr/bin/scponly guest
[ Parent | Reply to this comment ]
Do anyone know how to do this?
Thanks in advance..
[ Parent | Reply to this comment ]
Do anyone know how to do this?
Thanks in advance..
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
root@host # echo '/usr/lib/stfp-server' >> /etc/shells
Change it to:
root@host # echo '/usr/lib/sftp-server' >> /etc/shells
H. Morrow Long
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
ssh user@host /bin/sh after changin my default shell?
[ Parent | Reply to this comment ]
Thanks
[ Parent | Reply to this comment ]
Most mail systems implement the ability to pipe email messages directly to a command that will be run-on the message when it arrives using /bin/sh. A user could simply create a simple shell script with "chsh -s bash" in it the create a .forward with "|./mynastyscript" and then send themselves an email message. Voila they now have shell access
note: some mail systems (qmail for example) will only do this if they user has a "valid" shell (read: one listed in /etc/shells)
--G. Clifford Williams
[ Parent | Reply to this comment ]