Ssh – How to disable sftp access to user with ssh already disabled (user shell = /bin/false, but connection still works with sftp)

sftpssh

In sshd_config, by default, login is allowed for all groups and users. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. (found in the man page).

So, I have to configure the server in a "blacklist way" (all are allowed, then I explicitely define whom access can be denied).

Is there a way to do the opposite ? I want if a user can't connect to ssh, the sftp connection will be refused, except if he match a rule.

I set the default shell to /bin/false (so classic ssh connection is disabled).

Locking the user (usermod -L usersftp1) obviously prevent the user to use both sftp and ssh (which is fine for me).

I tried to use DenyGroups !sftp directive to disallow user matching other than sftp but the usersftp1 (which does not belongs to the group sftp (primary nor supplementary) but it didn't work.

I configured my server to manage some sftp access (starting with Subsystem sftp internal-sftp)

In /etc/passwd, the line usersftp1:x:5001:5001::/home/sftp/usersftp1:/bin/false

The ssh connection doesn't work (which is what I want), but I can connect through sftp (beside the fact I didn't allowed that user yet).

I want the default behavior to be "connection not allowed" if user has the /bin/false shell.

EDIT: more configuration details:

file /etc/passwd:
    usersftp1:x:50001:5001::/home/sftp/usersftp1:/bin/false
file /etc/group:
    usersftp1:x:5001

file /etc/ssh/sshd_config:
    …
    Subsystem sftp internal-sftp -l INFO
    # This is commented, so no rules will be set for user "usersftp1"
    #   Match user usersftp1
    #   X11Forwarding no
    #   ChrootDirectory %h
    #   AllowTcpForwarding no
    #   ForceCommand internal-sftp  

      # This config works as expected
      Match user usersftp2
      X11Forwarding no
      ChrootDirectory %h
      AllowTcpForwarding no
      ForceCommand internal-sftp

in auth.log, I can see the user uses sftp :

Starting session: subsystem 'sftp' for usersftp1 from xxx.xxx.xxx.xxx port 55552

In that configuration, after service ssh restart, users usersftp1 and usersftp2 can both connect using sftp (beside the fact the 1st one is commented)

Best Answer

I don't think that Match User is working in the way that you think it is.

Match
Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

So in your particular case the Match User usersftp2 only applies to and overrides the configuration for usersftp2.

When your usersftp1 connects, the sftp program is run for them by sshd and no user specific configurations are applied.

If I understand your question correctly you should be able to do what you want with a group.

create a group e.g. sftpusers (groupadd...) and then add the users you want to allow to it (usermod -G ...)

Then configure sshd to only allow sftp for users in that group

Match Group sftpusers
  # Force the connection to use SFTP
  ForceCommand internal-sftp
  # Disable tunneling, authentication agent, TCP and X11 forwarding.
  PermitTunnel no
  AllowAgentForwarding no
  AllowTcpForwarding no
  X11Forwarding no

Related Solutions

Linux – Creating multiple SFTP users for one account

Our solution is to create a main user account for each customer, such as flowershop. Each customer can create an arbitrary number of side accounts with their own passwords, such as flowershop_developer, flowershop_tester, flowershop_dba, etc. This allows them to hand out accounts without sharing their main account password, which is better for a whole bunch of reasons (for example, if they need to remove their DBA's account, they can easily do that without changing their own passwords).

Each one of these accounts is in the flowershop group, with a home folder of /home/flowershop/. SSH uses this as the chroot directory (/home/%u, as shown in the configuration in the question).

We then use ACLs to enable every user in group flowershop to modify all files. When a new customer account is created, we set the ACLs as follows:

setfacl -Rm \
d:group:admin:rwx,d:user:www-data:r-x,d:user:$USERNAME:rwx,d:group:$USERNAME:rwx,\
  group:admin:rwx,  user:www-data:r-x,  user:$USERNAME:rwx,  group:$USERNAME:rwx \
/home/$USERNAME/

This does the following:

Gives group admin (for us, the hosting providers) rwx
Gives user www-data (Apache) r-x to the files*
Gives user $USERNAME rwx to the files
Gives group $USERNAME rwx to the files

This setup appears to be working well for us, but we are open to any suggestions for doing it better.

_{* we use suexec for CGI/PHP running as the customer account}

Ssh – Different “RequiredAuthentications2” for sshd and sftp subsystem

Rather than trying to loosen security with a group rule, I'd use the default security and tighten with group rules. Here's an example that requires 2factor authentication for users, but not sftp-users.

# Only these groups can connect
AllowGroups users sftp-users

Match Group users
    RequiredAuthenticatios2 publickey,keyboard-interactive

Match Group sftp-users 
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no

I prototyped this successfully on an Ubuntu system, my sshd_config man page specified AuthenticationMethods instead of the RequiredAuthenticatios1 and RequiredAuthenticatios2 in CentOS system man page. The equivalent line was

    AuthenticationMethods publickey,password

Best Answer

Related Solutions

Linux – Creating multiple SFTP users for one account

Ssh – Different “RequiredAuthentications2” for sshd and sftp subsystem

Related Topic