Is it possible to grant users sftp access without shell access? If yes, how is it implemented?qemu: how to...
Dilemma of explaining to interviewer that he is the reason for declining second interview
How to make ice magic work from a scientific point of view?
Airplane generations - how does it work?
general past possibility with COULD
Is using an 'empty' metaphor considered bad style?
Python Pandas - difference between 'loc' and 'where'?
Cat is tipping over bed-side lamps during the night
Why is Agricola named as such?
Why are the books in the Game of Thrones citadel library shelved spine inwards?
When can a QA tester start his job?
Why did the villain in the first Men in Black movie care about Earth's Cockroaches?
Why didn't Tom Riddle take the presence of Fawkes and the Sorting Hat as more of a threat?
When do I have to declare that I want to twin my spell?
How to deal with possible delayed baggage?
Identify KNO3 and KH2PO4 at home
Why would space fleets be aligned?
What is the wife of a henpecked husband called?
Salsa20 Implementation: Sum of 2 Words with Carries Suppressed
What makes papers publishable in top-tier journals?
Am I a Rude Number?
How to not let the Identify spell spoil everything?
What happens when a creature with flying blocks my non-flying attacker?
A Missing Symbol for This Logo
Do authors have to be politically correct in article-writing?
Is it possible to grant users sftp access without shell access? If yes, how is it implemented?
qemu: how to access host via sftpDenying “/opt/” access for SFTP Users other than particular dirHow To Access SFTP on UbuntuSFTP access to different parts of the apache webroot for different usersSet startup folder for SFTP to be other than /home/username is throwing me permission issuesLinux and SMB permissions not working as expectedACL File permissions for a group not workingAllow access via sshkey to specific chrooted userWrite to folder with one user via SFTP, but read only with other userTemporary SSH access for SFTP
I have an array of users who need to just upload files to their set homedirs. I think sftp would suffice, but I don't want them to login via shell. So is it possible?
My platform is centos 7, user's homedirs are stored lets say /personal/$user
I created user with these settings
useradd -m -d /personal/user1 -s /sbin/nologin
assigned user a passwd, then when I use sftp to login to the machine, it says cannot connect.
sftp nologin
asked 3 hours ago
SollosaSollosa
4291717
add a comment |
I have an array of users who need to just upload files to their set homedirs. I think sftp would suffice, but I don't want them to login via shell. So is it possible?
My platform is centos 7, user's homedirs are stored lets say /personal/$user
I created user with these settings
useradd -m -d /personal/user1 -s /sbin/nologin
assigned user a passwd, then when I use sftp to login to the machine, it says cannot connect.
sftp nologin
asked 3 hours ago
SollosaSollosa
4291717
add a comment |
I have an array of users who need to just upload files to their set homedirs. I think sftp would suffice, but I don't want them to login via shell. So is it possible?
My platform is centos 7, user's homedirs are stored lets say /personal/$user
I created user with these settings
useradd -m -d /personal/user1 -s /sbin/nologin
assigned user a passwd, then when I use sftp to login to the machine, it says cannot connect.
sftp nologin
asked 3 hours ago
SollosaSollosa
4291717
I have an array of users who need to just upload files to their set homedirs. I think sftp would suffice, but I don't want them to login via shell. So is it possible?
My platform is centos 7, user's homedirs are stored lets say /personal/$user
I created user with these settings
useradd -m -d /personal/user1 -s /sbin/nologin
assigned user a passwd, then when I use sftp to login to the machine, it says cannot connect.
sftp nologin
sftp nologin
asked 3 hours ago
SollosaSollosa
4291717
asked 3 hours ago
SollosaSollosa
4291717
edited 2 hours ago
Sollosa
asked 3 hours ago
SollosaSollosa
4291717
asked 3 hours ago
SollosaSollosa
4291717
asked 3 hours ago
SollosaSollosa
4291717
4291717
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Edit your /etc/ssh/sshd_config to contain:
Match User [SFTP user]
ForceCommand internal-sftp
Restart sshd. If you have multiple users put them all on the match user line separated by commas like so:
Match User User1,User2,User3
The key to configuring sftp to not allow shell access is to limit users via the ForceCommand option.
answered 2 hours ago
kemotepkemotep
2,3643720
Ok I did follow all steps but it did not log in
– Sollosa
2 hours ago
1
@Sollosa Try withMatch User [SFTP user]ForceCommand internal-sftponly, without chrooting stuff.
– Martin Prikryl
2 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
2 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
1 hour ago
add a comment |
I like the following setup for managing SSH access, which I use at work to manage a group of users on small fleet of servers.
Its key feature is managing SSH rights through Unix group membership, and having pretty tight permissions by default.
Setting up
Install software (optional but useful):
yum install members # or apt install members
Add groups:
addgroup --system allowssh
addgroup --system sftponly
In /etc/ssh/sshd_config, ensure that the following to settings are No:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
And at the end of /etc/ssh/sshd_config, add these two stanzas:
Match Group allowssh
PubkeyAuthentication yes
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
(don't forget to restart SSH after editing the file)
Explanation
So, what does all this do?
- It always disables root logins, as an extra security measure.
- It always disables password-based logins (easily the biggest security issue with SSH).
- It only allows pubkey login for users in the
allowsshgroup. - Users in the
sftponlygroup cannot get a shell over SSH, only SFTP.
Managing who has access is then simply done by managing group membership (these changes take effect immediately, no SSH restart required):
# adduser marcelm allowssh
# members allowssh
marcelm
# deluser marcelm allowssh
# members allowssh
#
Note that your sftp users need to be members of both sftponly (to ensure they won't get a shell), and of allowssh (to allow login in the first place).
Note also that you need to use public key authentication; password logins no longer work. This is probably the single biggest security gain you can get with SSH, so it's worth the effort.
Extra information
You can set the shell of the sftponly users to /sbin/nologin if you want, according to your own tastes.
This configuration limits sftponly users to their homedirectory. If you do not want that, remove the ChrootDirectory %h directive.
For bonus points, have a look at restricting who can su to root; add a system group called wheel, and add/enable auth required pam_wheel.so in /etc/pam.d/su.
answered 44 mins ago
marcelmmarcelm
1,170410
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
5 mins ago
add a comment |
just change their default shell to /sbin/nologin. Assuming most varieties of Linux:
# usermod -s /sbin/nologin username
answered 3 hours ago
MellaMella
223111
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
3 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
2 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's alsoSubsystem sftp internal-sftp) (or maybeForceCommand internal-sftp). If there's commonSubsystem sftp /path/to/sftp-server,nologinwill prevent even SFTP.
– Martin Prikryl
2 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503312%2fis-it-possible-to-grant-users-sftp-access-without-shell-access-if-yes-how-is-i%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Edit your /etc/ssh/sshd_config to contain:
Match User [SFTP user]
ForceCommand internal-sftp
Restart sshd. If you have multiple users put them all on the match user line separated by commas like so:
Match User User1,User2,User3
The key to configuring sftp to not allow shell access is to limit users via the ForceCommand option.
answered 2 hours ago
kemotepkemotep
2,3643720
Ok I did follow all steps but it did not log in
– Sollosa
2 hours ago
1
@Sollosa Try withMatch User [SFTP user]ForceCommand internal-sftponly, without chrooting stuff.
– Martin Prikryl
2 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
2 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
1 hour ago
add a comment |
Edit your /etc/ssh/sshd_config to contain:
Match User [SFTP user]
ForceCommand internal-sftp
Restart sshd. If you have multiple users put them all on the match user line separated by commas like so:
Match User User1,User2,User3
The key to configuring sftp to not allow shell access is to limit users via the ForceCommand option.
answered 2 hours ago
kemotepkemotep
2,3643720
Ok I did follow all steps but it did not log in
– Sollosa
2 hours ago
1
@Sollosa Try withMatch User [SFTP user]ForceCommand internal-sftponly, without chrooting stuff.
– Martin Prikryl
2 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
2 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
1 hour ago
add a comment |
Edit your /etc/ssh/sshd_config to contain:
Match User [SFTP user]
ForceCommand internal-sftp
Restart sshd. If you have multiple users put them all on the match user line separated by commas like so:
Match User User1,User2,User3
The key to configuring sftp to not allow shell access is to limit users via the ForceCommand option.
answered 2 hours ago
kemotepkemotep
2,3643720
Edit your /etc/ssh/sshd_config to contain:
Match User [SFTP user]
ForceCommand internal-sftp
Restart sshd. If you have multiple users put them all on the match user line separated by commas like so:
Match User User1,User2,User3
The key to configuring sftp to not allow shell access is to limit users via the ForceCommand option.
answered 2 hours ago
kemotepkemotep
2,3643720
edited 1 hour ago
answered 2 hours ago
kemotepkemotep
2,3643720
answered 2 hours ago
kemotepkemotep
2,3643720
answered 2 hours ago
kemotepkemotep
2,3643720
2,3643720
Ok I did follow all steps but it did not log in
– Sollosa
2 hours ago
1
@Sollosa Try withMatch User [SFTP user]ForceCommand internal-sftponly, without chrooting stuff.
– Martin Prikryl
2 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
2 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
1 hour ago
add a comment |
Ok I did follow all steps but it did not log in
– Sollosa
2 hours ago
1
@Sollosa Try withMatch User [SFTP user]ForceCommand internal-sftponly, without chrooting stuff.
– Martin Prikryl
2 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
2 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
1 hour ago
Ok I did follow all steps but it did not log in
– Sollosa
2 hours ago
Ok I did follow all steps but it did not log in
– Sollosa
2 hours ago
1
1
@Sollosa Try with
Match User [SFTP user] ForceCommand internal-sftp only, without chrooting stuff.– Martin Prikryl
2 hours ago
@Sollosa Try with
Match User [SFTP user] ForceCommand internal-sftp only, without chrooting stuff.– Martin Prikryl
2 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
2 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
2 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
1 hour ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
1 hour ago
add a comment |
I like the following setup for managing SSH access, which I use at work to manage a group of users on small fleet of servers.
Its key feature is managing SSH rights through Unix group membership, and having pretty tight permissions by default.
Setting up
Install software (optional but useful):
yum install members # or apt install members
Add groups:
addgroup --system allowssh
addgroup --system sftponly
In /etc/ssh/sshd_config, ensure that the following to settings are No:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
And at the end of /etc/ssh/sshd_config, add these two stanzas:
Match Group allowssh
PubkeyAuthentication yes
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
(don't forget to restart SSH after editing the file)
Explanation
So, what does all this do?
- It always disables root logins, as an extra security measure.
- It always disables password-based logins (easily the biggest security issue with SSH).
- It only allows pubkey login for users in the
allowsshgroup. - Users in the
sftponlygroup cannot get a shell over SSH, only SFTP.
Managing who has access is then simply done by managing group membership (these changes take effect immediately, no SSH restart required):
# adduser marcelm allowssh
# members allowssh
marcelm
# deluser marcelm allowssh
# members allowssh
#
Note that your sftp users need to be members of both sftponly (to ensure they won't get a shell), and of allowssh (to allow login in the first place).
Note also that you need to use public key authentication; password logins no longer work. This is probably the single biggest security gain you can get with SSH, so it's worth the effort.
Extra information
You can set the shell of the sftponly users to /sbin/nologin if you want, according to your own tastes.
This configuration limits sftponly users to their homedirectory. If you do not want that, remove the ChrootDirectory %h directive.
For bonus points, have a look at restricting who can su to root; add a system group called wheel, and add/enable auth required pam_wheel.so in /etc/pam.d/su.
answered 44 mins ago
marcelmmarcelm
1,170410
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
5 mins ago
add a comment |
I like the following setup for managing SSH access, which I use at work to manage a group of users on small fleet of servers.
Its key feature is managing SSH rights through Unix group membership, and having pretty tight permissions by default.
Setting up
Install software (optional but useful):
yum install members # or apt install members
Add groups:
addgroup --system allowssh
addgroup --system sftponly
In /etc/ssh/sshd_config, ensure that the following to settings are No:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
And at the end of /etc/ssh/sshd_config, add these two stanzas:
Match Group allowssh
PubkeyAuthentication yes
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
(don't forget to restart SSH after editing the file)
Explanation
So, what does all this do?
- It always disables root logins, as an extra security measure.
- It always disables password-based logins (easily the biggest security issue with SSH).
- It only allows pubkey login for users in the
allowsshgroup. - Users in the
sftponlygroup cannot get a shell over SSH, only SFTP.
Managing who has access is then simply done by managing group membership (these changes take effect immediately, no SSH restart required):
# adduser marcelm allowssh
# members allowssh
marcelm
# deluser marcelm allowssh
# members allowssh
#
Note that your sftp users need to be members of both sftponly (to ensure they won't get a shell), and of allowssh (to allow login in the first place).
Note also that you need to use public key authentication; password logins no longer work. This is probably the single biggest security gain you can get with SSH, so it's worth the effort.
Extra information
You can set the shell of the sftponly users to /sbin/nologin if you want, according to your own tastes.
This configuration limits sftponly users to their homedirectory. If you do not want that, remove the ChrootDirectory %h directive.
For bonus points, have a look at restricting who can su to root; add a system group called wheel, and add/enable auth required pam_wheel.so in /etc/pam.d/su.
answered 44 mins ago
marcelmmarcelm
1,170410
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
5 mins ago
add a comment |
I like the following setup for managing SSH access, which I use at work to manage a group of users on small fleet of servers.
Its key feature is managing SSH rights through Unix group membership, and having pretty tight permissions by default.
Setting up
Install software (optional but useful):
yum install members # or apt install members
Add groups:
addgroup --system allowssh
addgroup --system sftponly
In /etc/ssh/sshd_config, ensure that the following to settings are No:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
And at the end of /etc/ssh/sshd_config, add these two stanzas:
Match Group allowssh
PubkeyAuthentication yes
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
(don't forget to restart SSH after editing the file)
Explanation
So, what does all this do?
- It always disables root logins, as an extra security measure.
- It always disables password-based logins (easily the biggest security issue with SSH).
- It only allows pubkey login for users in the
allowsshgroup. - Users in the
sftponlygroup cannot get a shell over SSH, only SFTP.
Managing who has access is then simply done by managing group membership (these changes take effect immediately, no SSH restart required):
# adduser marcelm allowssh
# members allowssh
marcelm
# deluser marcelm allowssh
# members allowssh
#
Note that your sftp users need to be members of both sftponly (to ensure they won't get a shell), and of allowssh (to allow login in the first place).
Note also that you need to use public key authentication; password logins no longer work. This is probably the single biggest security gain you can get with SSH, so it's worth the effort.
Extra information
You can set the shell of the sftponly users to /sbin/nologin if you want, according to your own tastes.
This configuration limits sftponly users to their homedirectory. If you do not want that, remove the ChrootDirectory %h directive.
For bonus points, have a look at restricting who can su to root; add a system group called wheel, and add/enable auth required pam_wheel.so in /etc/pam.d/su.
answered 44 mins ago
marcelmmarcelm
1,170410
I like the following setup for managing SSH access, which I use at work to manage a group of users on small fleet of servers.
Its key feature is managing SSH rights through Unix group membership, and having pretty tight permissions by default.
Setting up
Install software (optional but useful):
yum install members # or apt install members
Add groups:
addgroup --system allowssh
addgroup --system sftponly
In /etc/ssh/sshd_config, ensure that the following to settings are No:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
And at the end of /etc/ssh/sshd_config, add these two stanzas:
Match Group allowssh
PubkeyAuthentication yes
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
(don't forget to restart SSH after editing the file)
Explanation
So, what does all this do?
- It always disables root logins, as an extra security measure.
- It always disables password-based logins (easily the biggest security issue with SSH).
- It only allows pubkey login for users in the
allowsshgroup. - Users in the
sftponlygroup cannot get a shell over SSH, only SFTP.
Managing who has access is then simply done by managing group membership (these changes take effect immediately, no SSH restart required):
# adduser marcelm allowssh
# members allowssh
marcelm
# deluser marcelm allowssh
# members allowssh
#
Note that your sftp users need to be members of both sftponly (to ensure they won't get a shell), and of allowssh (to allow login in the first place).
Note also that you need to use public key authentication; password logins no longer work. This is probably the single biggest security gain you can get with SSH, so it's worth the effort.
Extra information
You can set the shell of the sftponly users to /sbin/nologin if you want, according to your own tastes.
This configuration limits sftponly users to their homedirectory. If you do not want that, remove the ChrootDirectory %h directive.
For bonus points, have a look at restricting who can su to root; add a system group called wheel, and add/enable auth required pam_wheel.so in /etc/pam.d/su.
answered 44 mins ago
marcelmmarcelm
1,170410
edited 26 mins ago
answered 44 mins ago
marcelmmarcelm
1,170410
answered 44 mins ago
marcelmmarcelm
1,170410
answered 44 mins ago
marcelmmarcelm
1,170410
1,170410
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
5 mins ago
add a comment |
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
5 mins ago
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
5 mins ago
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
5 mins ago
add a comment |
just change their default shell to /sbin/nologin. Assuming most varieties of Linux:
# usermod -s /sbin/nologin username
answered 3 hours ago
MellaMella
223111
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
3 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
2 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's alsoSubsystem sftp internal-sftp) (or maybeForceCommand internal-sftp). If there's commonSubsystem sftp /path/to/sftp-server,nologinwill prevent even SFTP.
– Martin Prikryl
2 hours ago
add a comment |
just change their default shell to /sbin/nologin. Assuming most varieties of Linux:
# usermod -s /sbin/nologin username
answered 3 hours ago
MellaMella
223111
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
3 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
2 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's alsoSubsystem sftp internal-sftp) (or maybeForceCommand internal-sftp). If there's commonSubsystem sftp /path/to/sftp-server,nologinwill prevent even SFTP.
– Martin Prikryl
2 hours ago
add a comment |
just change their default shell to /sbin/nologin. Assuming most varieties of Linux:
# usermod -s /sbin/nologin username
answered 3 hours ago
MellaMella
223111
just change their default shell to /sbin/nologin. Assuming most varieties of Linux:
# usermod -s /sbin/nologin username
answered 3 hours ago
MellaMella
223111
answered 3 hours ago
MellaMella
223111
answered 3 hours ago
MellaMella
223111
answered 3 hours ago
MellaMella
223111
223111
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
3 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
2 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's alsoSubsystem sftp internal-sftp) (or maybeForceCommand internal-sftp). If there's commonSubsystem sftp /path/to/sftp-server,nologinwill prevent even SFTP.
– Martin Prikryl
2 hours ago
add a comment |
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
3 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
2 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's alsoSubsystem sftp internal-sftp) (or maybeForceCommand internal-sftp). If there's commonSubsystem sftp /path/to/sftp-server,nologinwill prevent even SFTP.
– Martin Prikryl
2 hours ago
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
3 hours ago
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
3 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
2 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
2 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's also
Subsystem sftp internal-sftp) (or maybe ForceCommand internal-sftp). If there's common Subsystem sftp /path/to/sftp-server, nologin will prevent even SFTP.– Martin Prikryl
2 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's also
Subsystem sftp internal-sftp) (or maybe ForceCommand internal-sftp). If there's common Subsystem sftp /path/to/sftp-server, nologin will prevent even SFTP.– Martin Prikryl
2 hours ago
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503312%2fis-it-possible-to-grant-users-sftp-access-without-shell-access-if-yes-how-is-i%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
