[plug] Allow SSH but deny SFTP?

Anthony Woods anthony at monkey.id.au
Fri Jul 21 01:46:14 AWST 2017


Use "ForceCommand"  in your sshd config.

from the man page:


> *ForceCommand*Forces the execution of the command specified by
> *ForceCommand*, ignoring any command supplied by the client and
> *~/.ssh/rc* if present. The command is invoked by using the user's login
> shell with the -c option. This applies to shell, command, or subsystem
> execution. It is most useful inside a *Match* block. The command
> originally supplied by the client is available in the SSH_ORIGINAL_COMMAND
> environment variable. Specifying a command of ''internal-sftp'' will force
> the use of an in-process sftp server that requires no support files when
> used with *ChrootDirectory*.
>


If you have been using ".profile"  to "force" command execution when users
log in, it is a terrible idea and easy to bypass.

For further discussions see:
https://serverfault.com/questions/653812/enable-ssh-shell-access-but-disable-sftp-access

-
Anthony

On Thu, Jul 20, 2017 at 10:36 PM, Andrew Furey <andrew.furey at gmail.com>
wrote:

> (Re-replying to keep on list; admins, what happened to the Reply-To?)
>
>
> Why? Because that's not part of their rental agreement; it's a SaaS model
> (from way before that definition) so they're only allowed to run this
> application. We own the servers themselves, and rent access to the software
> (ERP package) for them to use.
>
> Other uses via direct SSH are obscure enough not to be concerned about I
> think - the majority of users are accountants so wouldn't know the tricks,
> but even so a simple SFTP login (with a valid user account, by definition)
> is too much of a temptation so we're trying to head that off.
>
> The permission change may work, I'll need to test; depends whether the
> Subsystem setup spawns it as that user or not.
>
> Andrew
>
> On 20 July 2017 at 17:23, John McCabe-Dansted <gmatht at gmail.com> wrote:
>
>> Why do you want to stop sftp? Do you want to stop "ssh cat\ remotefile >
>> local file" as well?
>>
>> If you just to discourage users  from accidentally violating some anti
>> sftp policy, something like `chmod 750 /usr/bin/sftp` might work
>>
>> This clearly wouldn't prevent the user from using other ways of using
>> their ssh account as a filesystem. If you want to discourage that you could
>> try limiting bandwidth to 64Kbps.
>>
>> On 20 July 2017 at 17:04, Andrew Furey <andrew.furey at gmail.com> wrote:
>>
>>> Hi all, long time no post...
>>>
>>> I have a requirement for users to have full user-level SSH access (their
>>> profile then launches a full-session application and logs out at the end;
>>> they don't have shell access within this application so it's safe enough to
>>> just allow as normal).
>>>
>>> I want to restrict ability to use SFTP to trundle through the
>>> filesystem. However I would like to still allow it for root (grand prize
>>> being other specified users if possible too) so I can't just turn the
>>> Subsystem itself off... can I?
>>>
>>> I don't think I can use the internal-sftp and then chroot it (which
>>> would probably also be sufficient) as the requirement for 755 root:root on
>>> the home directory and above will most likely break the intended
>>> application.
>>>
>>> Any ideas?
>>>
>>> Andrew
>>>
>>> --
>>> Linux supports the notion of a command line or a shell for the same
>>> reason that only children read books with only pictures in them.
>>> Language, be it English or something else, is the only tool flexible
>>> enough to accomplish a sufficiently broad range of tasks.
>>>                           -- Bill Garrett
>>>
>>> _______________________________________________
>>> PLUG discussion list: plug at plug.org.au
>>> http://lists.plug.org.au/mailman/listinfo/plug
>>> Committee e-mail: committee at plug.org.au
>>> PLUG Membership: http://www.plug.org.au/membership
>>>
>>
>>
>>
>> --
>> John C. McCabe-Dansted
>>
>
>
>
> --
> Linux supports the notion of a command line or a shell for the same
> reason that only children read books with only pictures in them.
> Language, be it English or something else, is the only tool flexible
> enough to accomplish a sufficiently broad range of tasks.
>                           -- Bill Garrett
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20170721/16d2c02b/attachment.html>


More information about the plug mailing list