10

I want to restrict all users on a server to only be able to use SFTP while the members of an admin group should have full SSH access.

I found that it is possible to restrict the members of a group by using Match Group and ForceCommand. But I found no logical negation. So I tried to construct it in reverse:

# SFTP only, full access only for admin group
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Match Group admin
    X11Forwarding yes
    AllowTcpForwarding yes
    ForceCommand /usr/local/sbin/ssh-allowcmd.sh

and built a script ssh-allowcmd.sh that executes either the given command or /bin/bash for interactive access.

Is there a better solution?

robcast
  • 533
  • 3
  • 8

4 Answers4

22

If you're using OpenSSH 5.1 or later then it supports Match Group negation.

Assuming the defaults are OK for the admin group, then just change everyone else:

Match Group *,!admin
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

There's really no reason to rely on third-party shells to do this kind of job with recent OpenSSH releases.

Dan Carley
  • 25,189
  • 5
  • 52
  • 70
  • Yes, that is exactly what I was looking for. Now if only it were in the documentation. – robcast Jul 24 '09 at 10:33
  • 1
    It is kind of alluded to by the reference to the PATTERNS section of ssh_config(5). It would be a bit simpler yet if it didn't require the preceding wildcard. Although this solution turns out to be simpler, I wish there was a `none` argument to `ForceCommand` also. – Dan Carley Jul 24 '09 at 10:44
3

I use MySecureShell to limit users to SFTP only connections. I do this for specific users, but I am sure you can configure it to limit by default so the exemption would be for you to give shell access as well.

http://mysecureshell.sourceforge.net/

J.Zimmerman
  • 1,097
  • 1
  • 8
  • 13
2

What you want is scponly. IF you're running Debian/Ubuntu it's in the repos. Once installed, you just do the following:

$ sudo chsh -s /usr/bin/scponly username

It also allows you to chroot the users.

Alternatively you can do the following:

$ usermod -s /usr/lib/sftp-server username
$ echo '/usr/lib/sftp-server' >> /etc/shells

The first line restricts the user's shell to sftp. The second line is to make sftp-server a valid shell.

As you didn't specify the OS that you are using, I am unable to tailor the commands to your specific needs.

Swoogan
  • 2,007
  • 1
  • 13
  • 21
  • I didn't specify it, but I can't change the users shells because this info comes from LDAP and a real shell is needed there. – robcast Jul 24 '09 at 09:54
  • Also, since OpenSSH 5.1 the builtin possibility of ForceCommand is more secure than scponly. – robcast Jul 24 '09 at 09:57
  • Also, this doesn't solve the problem of restricting by default and allowing a single group. – robcast Jul 24 '09 at 09:58
0

If the users don't need access to the same files, but rather you don't want to set up a second server just for sftp, I would recommend virtualization instead. You can install OpenVZ and setup very light weight VMs to handle this.

If this is accurate to your situation, you will probably find the OpenVZ installation will come in handy for other stuff like this as well over time.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444