Restricting sftp users from opening ssh shells

 

If you want to enable given user to manage his files over sftp, but you don't want him to execute commands on your system there's an easy way to do this. You should just set user's login shell to stfp-server - this is the program which enables sftp over ssh. To find where exactly is it on your installation, use this command:

 

grep Subsystem /etc/ssh/sshd_config

 

You'll get /usr/libexec/sftp-server for example. Next add this to the list of allowed shells:

 

echo '/usr/libexec/sftp-server' >> /etc/shells

 

And finally modify user's shell:

 

usermod -s /usr/libexec/sftp-server sftpuser

 

That's it - now sftpuser account can only use sftp.

 

 

No comments yet

Back to articles list

This page was last modified on 2018-12-09 01:34:06