Ssh – How to disable sftp subsystem for a specific user or group

sftpssh

On a linux server running OpenSSH,

How can I disable sftp access (the sftp subsystem) for a specific user/group?

The user should only be able to access a shell but have no sftp access.

Edit:

The purpose is to give users a ssh key which can only be used to execute one specific command (using the command="…" option in authorized_keys). And they shouldn't be allowed to use sftp.
Is it already taken care of when using the command="…" option?

Best Answer

If you are using the SFTP SubSystem where it spawns a separate process, you could create a sftp group and only allow execution of the sftp-server binary for that group. It will not be possible to do this with the newer internalized sftp daemon, which is specified with internal-sftp.

If they have shell access, they will still be able to scp. Do you have a particular goal in mind?

Edit

If you want to restrict your user to only executing or utilizing a specific program, I would probably recommend a shell wrapper instead. command= might work but it seems more likely to be fallible. I would do more testing to be sure.

A shell wrapper, such as scponly, will only allow the end-user to scp. I have modified the source of scponly before to only allow CVS execution, for example. This can also be done with a shell script but it is easier to make mistakes if you do not fully understand the scope of what you are trying to do.

Best Answer

Related Solutions

Can Malicious User Bypass SSH Authorized_Keys Forced Command?

Ssh – How to use openssh sftp command with a RSA/DSA key specified from the command line

Related Topic