2

On a linux server running OpenSSH,

How can I disable sftp access (the sftp subsystem) for a specific user/group?

The user should only be able to access a shell but have no sftp access.

Edit:

The purpose is to give users a ssh key which can only be used to execute one specific command (using the command="..." option in authorized_keys). And they shouldn't be allowed to use sftp. Is it already taken care of when using the command="..." option?

Weboide
  • 3,275
  • 1
  • 23
  • 32

1 Answers1

3

If you are using the SFTP SubSystem where it spawns a separate process, you could create a sftp group and only allow execution of the sftp-server binary for that group. It will not be possible to do this with the newer internalized sftp daemon, which is specified with internal-sftp.

If they have shell access, they will still be able to scp. Do you have a particular goal in mind?

Edit

If you want to restrict your user to only executing or utilizing a specific program, I would probably recommend a shell wrapper instead. command= might work but it seems more likely to be fallible. I would do more testing to be sure.

A shell wrapper, such as scponly, will only allow the end-user to scp. I have modified the source of scponly before to only allow CVS execution, for example. This can also be done with a shell script but it is easier to make mistakes if you do not fully understand the scope of what you are trying to do.

Warner
  • 23,440
  • 2
  • 57
  • 69
  • I want to give a ssh key to users which they can only use for a specific command (with the command="..." option in authorized_keys). See my edit. – Weboide Jul 20 '10 at 10:39