16

I have added a user to the system via the adduser tool. Then, in /etc/passwd, I tried changing the /bin/bash to /sbin/nologin or to /dev/null, but neither of these worked.

I would like the user not having the option to get an interactive shell, and just to use sftp. Is there a way?

I know it's been asked here before but it seems no-one gave a satisfactory response.

Will
  • 1,127
  • 10
  • 25
Toni Rosa
  • 181
  • 1
  • 2
  • 8

4 Answers4

11

The command you should use to change the shell is chsh. The nologin shell can be /sbin/nologin or /usr/sbin/nologin (check which you have by looking in /etc/shells) but /bin/false would probably be a better choice.

chsh -s /bin/false user

You should consider setting up something like scponly which will do exactly what you want.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • Thanks for your answer. I have tried with the shells inside /etc/shell with no luck... /bin/false gives a "lost connection" and /sbin/nologin returns a "This account is currently not available.". I will try this scponly – Toni Rosa May 12 '11 at 12:47
  • I solved it using the scponly shell! Cheers – Toni Rosa May 12 '11 at 12:59
  • 3
    This answer is the needle in the hay! Make sure `/bin/false` and `/bin/nologin` are actually available in `/etc/shells`! – q9f Apr 14 '16 at 11:10
  • @Afri Fine, but... you'll really want to read https://serverfault.com/questions/328395/nologin-in-etc-shells-is-dangerous-why/328424#328424 . This is pretty strongly contraindicated. – Reinderien Feb 19 '19 at 01:40
  • @Afr don't put `nologin` in `/etc/shells`! https://serverfault.com/a/328424 – Rob Audenaerde Nov 26 '19 at 10:50
11

You should also be able to do it with OpenSSH 4.9 and up, with which you can additionally chroot the user for increased security.

In your /etc/ssh/sshd_config:

Match User user
ChrootDirectory /home/user
ForceCommand internal-sftp
AllowTcpForwarding no

Then run:

chsh -s /bin/false user
chown root:root /home/user
mkdir /home/user/uploads
chown user /home/user/uploads

The user will only be able to write in /home/user/uploads.

https://debian-administration.org/article/590/OpenSSH_SFTP_chroot_with_ChrootDirectory

genpfault
  • 109
  • 6
Eduardo Ivanec
  • 14,531
  • 1
  • 35
  • 42
  • +1 I've put this on my list to investigate. – user9517 May 12 '11 at 14:11
  • 1
    I've used it and it works just fine - you can also give the user a choice to log in to the chroot environment with a shell, but in that case you have to copy a minimum of libraries and some other utilities as expected. Jailkit (http://olivier.sessink.nl/jailkit/) comes in handy for that. – Eduardo Ivanec May 12 '11 at 14:14
  • Thanks, ForceCommand was a hint. I don't need chroot, but I do want to login to SFTP with service accounts. – AnrDaemon Nov 16 '18 at 15:06
2

I think the best way is with mysecureshell

http://mysecureshell.sourceforge.net/en/index.html

You can chroot a user with this easily and even limit bandwidth if needed.

Mike
  • 21,910
  • 7
  • 55
  • 79
1

You can add a user with -s /bin/false to disable their shell, but what you really should look into setting up is a chrooted sftp acccount. This will "jail" a user into their own directory and prevent them from being able to access or modify any files or directories outside of the chroot directory.

user9517
  • 114,104
  • 20
  • 206
  • 289
gravyface
  • 13,947
  • 16
  • 65
  • 100
  • Thanks for your answer, but It doesn't seem to work. I get a "lost connection" whenever I try a user using the shell /bin/false. – Toni Rosa May 12 '11 at 12:41