[plug] Allow SSH but deny SFTP?
John McCabe-Dansted
gmatht at gmail.com
Thu Jul 20 17:23:03 AWST 2017
Why do you want to stop sftp? Do you want to stop "ssh cat\ remotefile >
local file" as well?
If you just to discourage users from accidentally violating some anti sftp
policy, something like `chmod 750 /usr/bin/sftp` might work
This clearly wouldn't prevent the user from using other ways of using their
ssh account as a filesystem. If you want to discourage that you could try
limiting bandwidth to 64Kbps.
On 20 July 2017 at 17:04, Andrew Furey <andrew.furey at gmail.com> wrote:
> Hi all, long time no post...
>
> I have a requirement for users to have full user-level SSH access (their
> profile then launches a full-session application and logs out at the end;
> they don't have shell access within this application so it's safe enough to
> just allow as normal).
>
> I want to restrict ability to use SFTP to trundle through the filesystem.
> However I would like to still allow it for root (grand prize being other
> specified users if possible too) so I can't just turn the Subsystem itself
> off... can I?
>
> I don't think I can use the internal-sftp and then chroot it (which would
> probably also be sufficient) as the requirement for 755 root:root on the
> home directory and above will most likely break the intended application.
>
> Any ideas?
>
> Andrew
>
> --
> Linux supports the notion of a command line or a shell for the same
> reason that only children read books with only pictures in them.
> Language, be it English or something else, is the only tool flexible
> enough to accomplish a sufficiently broad range of tasks.
> -- Bill Garrett
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
--
John C. McCabe-Dansted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20170720/7c9742f6/attachment.html>
More information about the plug
mailing list