Creating SFTP-only User Accounts to Kill SSH Access
Published September 26th, 2009Problem Statement
We wanted to create SFTP-only user accounts that cannot SSH into the server to run commands. There is no built-in approach to this problem that we can find so we created a simple shell script to solve it. Here we will discuss how it works.
Step 1: Create a shell script to run as the user’s shell
Create a shell script called /sbin/sftp-only as follows:
#!/bin/sh if [ “$*” != “-c /usr/lib/openssh/sftp-server” ]; then echo “Sorry, ssh access not allowed.”; exit; fi; exec /usr/lib/openssh/sftp-server
Step 2: Edit user accounts to use this shell script as user’s shell
Modify user accounts using usermod to set the shell to /sbin/sftp-only so that when user tries to SSH to the server, the shell script will display the “Sorry, ssh access not allowed.” message. And when the user tries to connect to the server via a SFTP client, the shell script will get executed and it will start the SFTP server for the user.
Alain Bequer on October 6, 2009
For RedHat Enterprise Linux 4.0 the location of the sftp-server is different from CentOS. The script that you need for RHEL 4 is:
#!/bin/sh
if [ "$*" != "-c /usr/libexec/openssh/sftp-server" ]; then
echo “Sorry, ssh access not allowed.”;
exit;
fi;
exec /usr/libexec/openssh/sftp-server
Hamza on December 7, 2009
Thanks for the tip, although with CentOS release 5.4 I had to use “/usr/libexec/openssh/sftp-server” instead of the original path.
I guess that path depends on the sftp subsystem setting you have in your “sshd_config” file…