Ssh – Allowing root login on sftp while disallowing it over ssh


For security I only allow a dummy user to log in via SSH on my CentOS 5.8 server, for this I added:

AllowUsers dummyaccount

When accessing my server I then login with the dummy and use su - to gain root privileges, this works perfectly well.

Now I've set up sftp using:

Subsystem sftp /usr/libexec/openssh/sftp-server

When I make an ssh tunnel with my ssh client and connect to it with FileZilla I can nicely login with my dummy account and I end up in its root.

However I'd now like to either gain root permissions with my dummy account when on sftp so I can completely manage the file system with it OR I'd like to allow root login on sftp but not on ssh, so in other words I'd login in ssh with the dummy and use su - to gain root permissions like described above but when I'd make a ssh tunnel I'd be able to login with my root over sftp.

I've heard of a way to only allow sftp access for a user by changing their shell to the sftp-server, but that's clearly not an option for root since changing its shell would break the system for all I know.
Making a different user with that configuration works, but then they'll have just as limited access to the file system over sftp as the dummy.

What would you suggest?

Best Answer

Require key based authentication. Set the PermitRootLogin without-password option. Setup a key that has a force command of internal-sftp. Or update your sshd_config with a match section to force sftp.

Match user root
    ForceCommand internal-sftp  # force SFTP