0

I'd like to know how to disable sftp or FTP access in general for a certain user through SSH. I've found many articles describing how you can enable sftp without SSH access, but sadly no article on how to do the opposite.

  • 1
    Seems like a pointless restriction. Whatever they wanted to do through SFTP, they could do using regular SSH, if only in a more annoying way. What do you want to accomplish? – muru Oct 01 '17 at 22:49
  • I want to create a user that can be accessed via SSH, that, in the best case scenario, automatically starts a shell script the user can't break out of. Generally the idea is that the user can't do anything but what I want him to be able to do, and snooping through the file system, let alone edit it is not one of these things. – UmBottesWillen Oct 02 '17 at 17:51
  • then you want to use SSH's ForceCommand option, which will automatically disable sftp and scp. – muru Oct 02 '17 at 18:56
  • in future, please post what you actually want to accomplish, not what you think will get you there. We don't want to read XY problems. – muru Oct 02 '17 at 18:58

1 Answers1

0

Maybe you can explain more fully what you want? If you tell us what is allowed on your system now (which transfer programs are available/running), and which user privileges are still to be allowed and which are to be denied, we can help.

I found questions like yours in old posts. This is on the money, but users say the ssd match config quit working

https://serverfault.com/questions/290843/how-to-disable-sftp-for-some-users-but-keep-ssh-enabled

Answers there support my first reaction: Users that have accounts and SSH access have file transfer ability and there is not much to do about it.

Another match group example you could try.

https://passingcuriosity.com/2014/openssh-restrict-to-sftp-chroot/

Note this last one is after the internal-sftp design change, so it is encouraging. This is going same direction:

http://blog.mesouug.com/2014/06/30/centos-ssh-disable-scp-and-sftp-for-some-users/

This 2016 post says a deny hosts listing for a particular user will work in sshd_config.

https://unix.stackexchange.com/questions/266413/how-to-disable-sftp-for-a-user-but-keep-ftp-enabled

I worry. If you allow port 22 logins for these users you want to regulate, it seems tough/impossible to control uploads after that. They can use scp from inside the system. They could use ftp if you have it. They could probably find way to do it in a web browser too.

This 2013 post says he replaced user shell to restrict ftp

https://fatmin.com/2013/11/25/disable-ssh-for-sftp-users-in-unix-and-linux/

But seems to me a determined user could circumvent. If your system has even a few convenient programs installed, clever users are going to transfer files.

pauljohn32
  • 3,743