<div dir="ltr">Use "ForceCommand" in your sshd config.<div><br></div><div>from the man page:<br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><b style="color:rgb(68,68,68);font-family:verdana,helvetica,arial,sans-serif;font-size:16px">ForceCommand<br></b><span style="color:rgb(68,68,68);font-family:verdana,helvetica,arial,sans-serif;font-size:16px">Forces the execution of the command specified by </span><b style="color:rgb(68,68,68);font-family:verdana,helvetica,arial,sans-serif;font-size:16px">ForceCommand</b><span style="color:rgb(68,68,68);font-family:verdana,helvetica,arial,sans-serif;font-size:16px">, ignoring any command supplied by the client and </span><i style="color:rgb(68,68,68);font-family:verdana,helvetica,arial,sans-serif;font-size:16px">~/.ssh/rc</i><span style="color:rgb(68,68,68);font-family:verdana,helvetica,arial,sans-serif;font-size:16px"> if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a </span><b style="color:rgb(68,68,68);font-family:verdana,helvetica,arial,sans-serif;font-size:16px">Match</b><span style="color:rgb(68,68,68);font-family:verdana,helvetica,arial,sans-serif;font-size:16px"> block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of ''internal-sftp'' will force the use of an in-process sftp server that requires no support files when used with </span><b style="color:rgb(68,68,68);font-family:verdana,helvetica,arial,sans-serif;font-size:16px">ChrootDirectory</b><span style="color:rgb(68,68,68);font-family:verdana,helvetica,arial,sans-serif;font-size:16px">.<br></span></blockquote><br></div><div><br>If you have been using ".profile" to "force" command execution when users log in, it is a terrible idea and easy to bypass.</div><div><br></div><div>For further discussions see: <a href="https://serverfault.com/questions/653812/enable-ssh-shell-access-but-disable-sftp-access">https://serverfault.com/questions/653812/enable-ssh-shell-access-but-disable-sftp-access</a></div><div><br></div><div>-</div><div>Anthony</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 20, 2017 at 10:36 PM, Andrew Furey <span dir="ltr"><<a href="mailto:andrew.furey@gmail.com" target="_blank">andrew.furey@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>(Re-replying to keep on list; admins, what happened to the Reply-To?)<br><br><br><div><div>Why? Because that's not part of their rental agreement; it's a
SaaS model (from way before that definition) so they're only allowed to
run this application. We own the servers themselves, and rent access to
the software (ERP package) for them to use.<br><br></div>Other uses via
direct SSH are obscure enough not to be concerned about I think - the
majority of users are accountants so wouldn't know the tricks, but even
so a simple SFTP login (with a valid user account, by definition) is too
much of a temptation so we're trying to head that off.<br><br></div>The permission change may work, I'll need to test; depends whether the Subsystem setup spawns it as that user or not.<span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888">Andrew<br></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 20 July 2017 at 17:23, John McCabe-Dansted <span dir="ltr"><<a href="mailto:gmatht@gmail.com" target="_blank">gmatht@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Why do you want to stop sftp? Do you want to stop "ssh cat\ remotefile > local file" as well?<div><br></div><div>If you just to discourage users from accidentally violating some anti sftp policy, something like `chmod 750 /usr/bin/sftp` might work </div><div><br></div><div>This clearly wouldn't prevent the user from using other ways of using their ssh account as a filesystem. If you want to discourage that you could try limiting bandwidth to 64Kbps.</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_-3557059109808642470h5">On 20 July 2017 at 17:04, Andrew Furey <span dir="ltr"><<a href="mailto:andrew.furey@gmail.com" target="_blank">andrew.furey@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_-3557059109808642470h5"><div dir="ltr"><div><div><div><div><div>Hi all, long time no post...<br><br></div>I have a requirement for users to have full user-level SSH access (their profile then launches a full-session application and logs out at the end; they don't have shell access within this application so it's safe enough to just allow as normal).<br><br></div>I want to restrict ability to use SFTP to trundle through the filesystem. However I would like to still allow it for root (grand prize being other specified users if possible too) so I can't just turn the Subsystem itself off... can I?<br><br></div>I don't think I can use the internal-sftp and then chroot it (which would probably also be sufficient) as the requirement for 755 root:root on the home directory and above will most likely break the intended application.<br><br></div>Any ideas?<span class="m_-3557059109808642470m_7831812000002568754HOEnZb"><font color="#888888"><br><br></font></span></div><span class="m_-3557059109808642470m_7831812000002568754HOEnZb"><font color="#888888">Andrew<br clear="all"><div><div><div><div><div><div><div><div><br>-- <br><div class="m_-3557059109808642470m_7831812000002568754m_9183486629248798881gmail_signature" data-smartmail="gmail_signature">Linux supports the notion of a command line or a shell for the same<br>reason that only children read books with only pictures in them.<br>Language, be it English or something else, is the only tool flexible<br>enough to accomplish a sufficiently broad range of tasks.<br> -- Bill Garrett</div>
</div></div></div></div></div></div></div></div></font></span></div>
<br></div></div>______________________________<wbr>_________________<br>
PLUG discussion list: <a href="mailto:plug@plug.org.au" target="_blank">plug@plug.org.au</a><br>
<a href="http://lists.plug.org.au/mailman/listinfo/plug" rel="noreferrer" target="_blank">http://lists.plug.org.au/mailm<wbr>an/listinfo/plug</a><br>
Committee e-mail: <a href="mailto:committee@plug.org.au" target="_blank">committee@plug.org.au</a><br>
PLUG Membership: <a href="http://www.plug.org.au/membership" rel="noreferrer" target="_blank">http://www.plug.org.au/members<wbr>hip</a><span class="m_-3557059109808642470HOEnZb"><font color="#888888"><br></font></span></blockquote></div><span class="m_-3557059109808642470HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div class="m_-3557059109808642470m_7831812000002568754gmail_signature" data-smartmail="gmail_signature">John C. McCabe-Dansted</div>
</font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="m_-3557059109808642470gmail_signature" data-smartmail="gmail_signature">Linux supports the notion of a command line or a shell for the same<br>reason that only children read books with only pictures in them.<br>Language, be it English or something else, is the only tool flexible<br>enough to accomplish a sufficiently broad range of tasks.<br> -- Bill Garrett</div>
</div>
</div></div><br>______________________________<wbr>_________________<br>
PLUG discussion list: <a href="mailto:plug@plug.org.au">plug@plug.org.au</a><br>
<a href="http://lists.plug.org.au/mailman/listinfo/plug" rel="noreferrer" target="_blank">http://lists.plug.org.au/<wbr>mailman/listinfo/plug</a><br>
Committee e-mail: <a href="mailto:committee@plug.org.au">committee@plug.org.au</a><br>
PLUG Membership: <a href="http://www.plug.org.au/membership" rel="noreferrer" target="_blank">http://www.plug.org.au/<wbr>membership</a><br></blockquote></div><br></div>