How to restrict users to SFTP only instead of SSH

Posted by hruske on Sun 13 Feb 2005 at 21:52

Tags: ,

Sometimes you want to have users, that have access to files on your server, but don't want them to be able to log in and execute commands on your server.

This is done quite easily.

Add user as usually and assign him a password. Then run the following command (replace the 'username' with real user name):

root@host # usermod -s /usr/lib/sftp-server username

This changes user's shell to sftp-server.

The last step for this to work is to add '/usr/lib/sftp-server' to /etc/shells to make it a valid shell, eg. like this:

root@host # echo '/usr/lib/stfp-server' >> /etc/shells

There. Now you've setup a user who can only access your server with SFTP.

 

 


Posted by Anonymous (194.47.xx.xx) on Mon 14 Feb 2005 at 11:43
That's not enough to actually prevent people from running programs. What you want is rssh or scponly.

[ Parent | Reply to this comment ]

Posted by Anonymous (194.72.xx.xx) on Mon 14 Feb 2005 at 13:32
Hey nice article, i used a similar approach to deny sftp users access to ssh like commands. In the /etc/ssh/sshd_config uncomment/add the line 'DenyUsers' followed by the user(s) you wish to deny ssh access.

Thanks for article. cheers

sno

[ Parent | Reply to this comment ]

Posted by hruske (193.2.xx.xx) on Mon 14 Feb 2005 at 14:46
[ Send Message ]
Yes, or you can list only those users (or groups) that you want to allow in AllowUsers (or AllowGroups).

[ Parent | Reply to this comment ]

Posted by Anonymous (194.72.xx.xx) on Mon 14 Feb 2005 at 16:09
correct :D good work. Hope to read more great articles soon. sno

[ Parent | Reply to this comment ]

Posted by Anonymous (193.144.xx.xx) on Fri 20 May 2005 at 17:07
If you deny access to ssh, you deny also to sftp. So they will not be able to upload their files.

[ Parent | Reply to this comment ]

Posted by Anonymous (64.208.xx.xx) on Fri 29 Apr 2005 at 14:22
Sorry, but why it is not enough?
user can't login using the ssh-shell...
freD.

[ Parent | Reply to this comment ]

Posted by Anonymous (207.161.xx.xx) on Thu 8 Mar 2007 at 18:22
Can they?

I thought it might by the !command feature, but that turns out to execute commands on the connecting side.

Someone else also mentioned the posibility of the user scping an authorized_keys file with a command specified in it. By setting the home directory to something like / this can be avoided.

[ Parent | Reply to this comment ]

Posted by Anonymous (85.226.xx.xx) on Sun 30 Sep 2007 at 10:56
On Debian Sarge I've got everything to work out of the box with scponlyc, but to setup scponlyc (scponly with chroot) on Debian Etch (Currently Debian Stable) was a little bit more tricky. I managed to set up a working scponly without chroot, but with chroot enabled it didn't work. I've got an unexpected error and connection closed after successful authentication.

Finally, I found the thread at http://ubuntuforums.org/showthread.php?t=451510 which told me to execute the following commands to get scponlyc to work on Debian Etch. This because sftp-server needs /dev/null to work and /dev/null isn't created by the setup_chroot.sh script distributed with scponlyc.

mkdir /home/username/dev
mknod -m 666 /home/username/dev/null c 1 3

[ Parent | Reply to this comment ]

Posted by Anonymous (195.56.xx.xx) on Thu 3 Mar 2005 at 22:50
Any good way to restrict a user to using a given subversion repository? I can't make svnserve his shell, and the authorized_keys-based command restriction doesn't quite do the job either. For various reasons I can't use a http based svn repository.

Currently, I have a chroot jail with the repository bind-mounted in it, but this is difficult to maintain.

[ Parent | Reply to this comment ]

Posted by Arto (213.250.xx.xx) on Thu 12 Jan 2006 at 19:48
[ Send Message ]
Note the typo in the second command:
echo '/usr/lib/stfp-server' >> /etc/shells
...should be...
echo '/usr/lib/sftp-server' >> /etc/shells

[ Parent | Reply to this comment ]

Posted by Anonymous (85.76.xx.xx) on Sat 18 Mar 2006 at 20:17
Does this work also in SuSe linux?

[ Parent | Reply to this comment ]

Posted by Anonymous (147.230.xx.xx) on Tue 4 Apr 2006 at 07:09
yes, i try this on SUSE 10 on x86_64. with
root@host # usermod -s /usr/lib64/ssh/sftp-server username
and
root@host # echo '/usr/lib64/ssh/stfp-server' >> /etc/shells
bye TDT

[ Parent | Reply to this comment ]

Posted by Anonymous (203.123.xx.xx) on Mon 3 May 2010 at 11:02
Hi, I am using CentOS, I wants to restrict user from traversing in other directory. I have implement rbash utility but still unable to limit user from traversing.

Can you suggest some solution.

[ Parent | Reply to this comment ]

Posted by kanour (202.7.xx.xx) on Sat 27 May 2006 at 15:27
[ Send Message ]
But how to chroot the sftp login?

[ Parent | Reply to this comment ]

Posted by Anonymous (220.233.xx.xx) on Mon 26 Jun 2006 at 07:15
You need to run a modified version of sftp-server that does chroot.

[ Parent | Reply to this comment ]

Posted by Anonymous (24.82.xx.xx) on Fri 4 Jan 2008 at 05:42
Another alternative is to chmod 711 (drwx--x--x). In this case, root gets access to everything and can see everything too, but all other users can only traverse the directory if they know it's there since directory listings are disabled.

So you can, for example, chmod 711 your /home directory so users will never know the names of the other accounts on the system. Should you share a folder amongst users, this is still possible but one must know the exact directory by name to get to it.

[ Parent | Reply to this comment ]

Posted by Anonymous (71.135.xx.xx) on Tue 31 Oct 2006 at 16:21
Warning: the user can still sftp to the server, and modify /home/username/.ssh/authorized_keys

[ Parent | Reply to this comment ]

Posted by Anonymous (71.135.xx.xx) on Tue 31 Oct 2006 at 16:46
Is there a way to restrict access to "scp" only, rather than "sftp". Scp's syntax is much easier for certain applications (such as copying remote to local). I tried restricting the shell to /usr/bin/scp, but that did not work.

[ Parent | Reply to this comment ]

Posted by Anonymous (86.120.xx.xx) on Tue 21 Nov 2006 at 11:25
The user with no shell can do port forwarding!!!

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Tue 21 Nov 2006 at 15:37
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Not if you disable it in sshd_config....

Steve

[ Parent | Reply to this comment ]

Posted by t0dd (24.18.xx.xx) on Tue 5 Dec 2006 at 16:56
[ Send Message ]

user@web01:~/$ apt-cache search scponly
scponly - Restricts the commands available to scp- and sftp-users

user@web01:~/$ sudo apt-get install scponly
Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed
scponly
0 upgraded, 1 newly installed, 0 to remove and 108 not upgraded.
Need to get 34.3kB of archives.
After unpacking 180kB of additional disk space will be used.
Get: 1 http://ftp.us.debian.org etch/main scponly 4.6-1 [34.3kB]
Fetched 34.3kB in 0s (93.9kB/s)
Preconfiguring packages ...
Selecting previously deselected package scponly.
(Reading database ... 28911 files and directories currently installed.)
Unpacking scponly (from .../scponly_4.6-1_amd64.deb) ...
Setting up scponly (4.6-1) ...

user@web01:~/$ sudo adduser guest
Adding user `guest' ...
Adding new group `guest' (1005) ...
Adding new user `guest' (1004) with group `guest' ...
Creating home directory `/home/guest' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for guest
Enter the new value, or press ENTER for the default
Full Name []: Guest User
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [y/N] y

user@web01:~/$ sudo usermod -s /usr/bin/scponly guest

[ Parent | Reply to this comment ]

Posted by Anonymous (78.105.xx.xx) on Thu 2 Dec 2010 at 11:16
Thanks for that, I didn't know about scponly, it's a much better solution.

Particularly thanks for illustrating it's just a shell (there are a bunch of similar programs and was nice to see it was one I wouldn't have to worry about faffing about with).

[ Parent | Reply to this comment ]

Posted by Anonymous (125.22.xx.xx) on Fri 16 Mar 2007 at 06:24
I am running OpenSSH on windows 2003, I would like to restrict some users to use SFTP only and to login through SSH.

Do anyone know how to do this?

Thanks in advance..

[ Parent | Reply to this comment ]

Posted by Anonymous (210.48.xx.xx) on Mon 21 Mar 2011 at 20:10
set a deny acl for the user/group on c:\windows\system32\cmd.exe

Crude but effective.

[ Parent | Reply to this comment ]

Posted by Anonymous (125.22.xx.xx) on Fri 16 Mar 2007 at 06:27
I am running OpenSSH on windows 2003, I would like to restrict some users to use SFTP only.

Do anyone know how to do this?

Thanks in advance..

[ Parent | Reply to this comment ]

Posted by Anonymous (196.218.xx.xx) on Sun 15 Jul 2007 at 17:30
I am interested to know if you were able to do that, since i am facing the same issue over here.

[ Parent | Reply to this comment ]

Posted by Anonymous (130.132.xx.xx) on Fri 24 Aug 2007 at 14:21
You have a typo in the line:

root@host # echo '/usr/lib/stfp-server' >> /etc/shells

Change it to:

root@host # echo '/usr/lib/sftp-server' >> /etc/shells

H. Morrow Long


[ Parent | Reply to this comment ]

Posted by Anonymous (128.208.xx.xx) on Mon 17 Sep 2007 at 21:16
None of these solutions prevent a guest sftp user from traversing the filesystem outside of their home directory. For that, you'll need some method of chrooting the sftp-server to some directory (maybe the guest user's home directory).

[ Parent | Reply to this comment ]

Posted by Anonymous (213.233.xx.xx) on Thu 11 Oct 2007 at 10:47
I used a little script that is used as shell, that checks whether it's sftp-server executed... Creating an SFTP-only / FTP-only account

[ Parent | Reply to this comment ]

Posted by mahoro (80.68.xx.xx) on Tue 6 Nov 2007 at 12:58
[ Send Message ]
Hey, why can't I write something like ssh user@host /bin/sh after changin my default shell?

[ Parent | Reply to this comment ]

Posted by Anonymous (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Sat 15 Oct 2011 at 20:35
Congratulations, you are completely missing the point. Or trolling. Yeah, probably trolling.

[ Parent | Reply to this comment ]

Posted by linuxman1 (212.12.xx.xx) on Mon 4 Feb 2008 at 19:58
[ Send Message ]
Thanks and that worked fine for me, But I have a problem now with the permissions of the group, When I changed the /bin/bash for the users to sftp-server, No body can delete the files which the other users made although the permissions are set correctly as group has the rwx permissions, And when I changed the login shell again to bash every thing went fine again and the users were able to control the files which are shared among them, As I use sftp to share files among groups. Please try it your self and help, Why although the permissions of the directory is like this rwxrwx---, The group users can't control the files of the group and can only view it?
Thanks

[ Parent | Reply to this comment ]

Posted by Anonymous (64.81.xx.xx) on Mon 27 Jul 2009 at 21:29
Make sure that the server where this is implemented does not receive direct email from the outside world or that you've disabled .qmail/.forward access to commands.

Most mail systems implement the ability to pipe email messages directly to a command that will be run-on the message when it arrives using /bin/sh. A user could simply create a simple shell script with "chsh -s bash" in it the create a .forward with "|./mynastyscript" and then send themselves an email message. Voila they now have shell access

note: some mail systems (qmail for example) will only do this if they user has a "valid" shell (read: one listed in /etc/shells)

--G. Clifford Williams

[ Parent | Reply to this comment ]

Posted by Anonymous (86.177.xx.xx) on Thu 17 Mar 2011 at 23:20
PLEASE NOTE: Dont copy and paste, there is a typo in the last command

[ Parent | Reply to this comment ]

Posted by TheJH (212.110.xx.xx) on Wed 19 Feb 2014 at 03:42
[ Send Message ]
This is a very bad idea.

As far as I can see, there is nothing that would stop such a "restricted" user from reading /proc/self/maps, which defeats ASLR, and then opening and writing to /proc/self/mem, which would let him overwrite the stack. This way, that "restricted" user could easily start a shell.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Which init system are you using in Debian?






( 1634 votes ~ 7 comments )