[plug] Allow SSH but deny SFTP?

Andrew Furey andrew.furey at gmail.com
Thu Jul 20 22:36:03 AWST 2017


(Re-replying to keep on list; admins, what happened to the Reply-To?)


Why? Because that's not part of their rental agreement; it's a SaaS model
(from way before that definition) so they're only allowed to run this
application. We own the servers themselves, and rent access to the software
(ERP package) for them to use.

Other uses via direct SSH are obscure enough not to be concerned about I
think - the majority of users are accountants so wouldn't know the tricks,
but even so a simple SFTP login (with a valid user account, by definition)
is too much of a temptation so we're trying to head that off.

The permission change may work, I'll need to test; depends whether the
Subsystem setup spawns it as that user or not.

Andrew

On 20 July 2017 at 17:23, John McCabe-Dansted <gmatht at gmail.com> wrote:

> Why do you want to stop sftp? Do you want to stop "ssh cat\ remotefile >
> local file" as well?
>
> If you just to discourage users  from accidentally violating some anti
> sftp policy, something like `chmod 750 /usr/bin/sftp` might work
>
> This clearly wouldn't prevent the user from using other ways of using
> their ssh account as a filesystem. If you want to discourage that you could
> try limiting bandwidth to 64Kbps.
>
> On 20 July 2017 at 17:04, Andrew Furey <andrew.furey at gmail.com> wrote:
>
>> Hi all, long time no post...
>>
>> I have a requirement for users to have full user-level SSH access (their
>> profile then launches a full-session application and logs out at the end;
>> they don't have shell access within this application so it's safe enough to
>> just allow as normal).
>>
>> I want to restrict ability to use SFTP to trundle through the filesystem.
>> However I would like to still allow it for root (grand prize being other
>> specified users if possible too) so I can't just turn the Subsystem itself
>> off... can I?
>>
>> I don't think I can use the internal-sftp and then chroot it (which would
>> probably also be sufficient) as the requirement for 755 root:root on the
>> home directory and above will most likely break the intended application.
>>
>> Any ideas?
>>
>> Andrew
>>
>> --
>> Linux supports the notion of a command line or a shell for the same
>> reason that only children read books with only pictures in them.
>> Language, be it English or something else, is the only tool flexible
>> enough to accomplish a sufficiently broad range of tasks.
>>                           -- Bill Garrett
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
>>
>
>
>
> --
> John C. McCabe-Dansted
>



-- 
Linux supports the notion of a command line or a shell for the same
reason that only children read books with only pictures in them.
Language, be it English or something else, is the only tool flexible
enough to accomplish a sufficiently broad range of tasks.
                          -- Bill Garrett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20170720/a2f7d5de/attachment.html>


More information about the plug mailing list