Is it possible to grant users sftp access without shell access? If yes, how is it implemented?qemu: how to...
Workflow Comment popup does not show up
How to make ice magic work from a scientific point of view?
Why TEventArgs wasn't made contravariant in standard event pattern in the .Net ecosystem?
Words and Words with "ver-" Prefix
Is using an 'empty' metaphor considered bad style?
Early credit roll before the end of the film
A starship is travelling at 0.9c and collides with a small rock. Will it leave a clean hole through, or will more happen?
Square Root Distance from Integers
What sets the resolution of an analog resistive sensor?
A curious equality of integrals involving the prime counting function?
Does dispel magic end a master's control over their undead?
What is the data structure of $@ in shell?
Am I a Rude Number?
False written accusations not made public - is there law to cover this?
Non-Cancer terminal illness that can affect young (age 10-13) girls?
Cookies - Should the toggles be on?
Dilemma of explaining to interviewer that he is the reason for declining second interview
Why are the books in the Game of Thrones citadel library shelved spine inwards?
What is the difference between rolling more dice versus fewer dice?
Why did the villain in the first Men in Black movie care about Earth's Cockroaches?
What happens when a creature with flying blocks my non-flying attacker?
How should I handle players who ignore the session zero agreement?
How to deal with possible delayed baggage?
Why is Agricola named as such?
Is it possible to grant users sftp access without shell access? If yes, how is it implemented?
qemu: how to access host via sftpDenying “/opt/” access for SFTP Users other than particular dirHow To Access SFTP on UbuntuSFTP access to different parts of the apache webroot for different usersSet startup folder for SFTP to be other than /home/username is throwing me permission issuesLinux and SMB permissions not working as expectedACL File permissions for a group not workingAllow access via sshkey to specific chrooted userWrite to folder with one user via SFTP, but read only with other userTemporary SSH access for SFTP
I have an array of users who need to just upload files to their set homedirs. I think sftp would suffice, but I don't want them to login via shell. So is it possible?
My platform is centos 7, user's homedirs are stored lets say /personal/$user
I created user with these settings
useradd -m -d /personal/user1 -s /sbin/nologin
assigned user a passwd, then when I use sftp to login to the machine, it says cannot connect.
sftp nologin
asked 5 hours ago
SollosaSollosa
4341717
add a comment |
I have an array of users who need to just upload files to their set homedirs. I think sftp would suffice, but I don't want them to login via shell. So is it possible?
My platform is centos 7, user's homedirs are stored lets say /personal/$user
I created user with these settings
useradd -m -d /personal/user1 -s /sbin/nologin
assigned user a passwd, then when I use sftp to login to the machine, it says cannot connect.
sftp nologin
asked 5 hours ago
SollosaSollosa
4341717
add a comment |
I have an array of users who need to just upload files to their set homedirs. I think sftp would suffice, but I don't want them to login via shell. So is it possible?
My platform is centos 7, user's homedirs are stored lets say /personal/$user
I created user with these settings
useradd -m -d /personal/user1 -s /sbin/nologin
assigned user a passwd, then when I use sftp to login to the machine, it says cannot connect.
sftp nologin
asked 5 hours ago
SollosaSollosa
4341717
I have an array of users who need to just upload files to their set homedirs. I think sftp would suffice, but I don't want them to login via shell. So is it possible?
My platform is centos 7, user's homedirs are stored lets say /personal/$user
I created user with these settings
useradd -m -d /personal/user1 -s /sbin/nologin
assigned user a passwd, then when I use sftp to login to the machine, it says cannot connect.
sftp nologin
sftp nologin
asked 5 hours ago
SollosaSollosa
4341717
asked 5 hours ago
SollosaSollosa
4341717
edited 5 hours ago
Sollosa
asked 5 hours ago
SollosaSollosa
4341717
asked 5 hours ago
SollosaSollosa
4341717
asked 5 hours ago
SollosaSollosa
4341717
4341717
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
I like the following setup for managing SSH access, which I use at work to manage a group of users on small fleet of servers.
Its key feature is managing SSH rights through Unix group membership, and having pretty tight permissions by default.
Setting up
Install software (optional but useful):
yum install members # or apt install members
Add groups:
addgroup --system allowssh
addgroup --system sftponly
In /etc/ssh/sshd_config, ensure that the following to settings are No:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
And at the end of /etc/ssh/sshd_config, add these two stanzas:
Match Group allowssh
PubkeyAuthentication yes
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
(don't forget to restart SSH after editing the file)
Explanation
So, what does all this do?
- It always disables root logins, as an extra security measure.
- It always disables password-based logins (easily the biggest security issue with SSH).
- It only allows pubkey login for users in the
allowsshgroup. - Users in the
sftponlygroup cannot get a shell over SSH, only SFTP.
Managing who has access is then simply done by managing group membership (these changes take effect immediately, no SSH restart required):
# adduser marcelm allowssh
# members allowssh
marcelm
# deluser marcelm allowssh
# members allowssh
#
Note that your sftp users need to be members of both sftponly (to ensure they won't get a shell), and of allowssh (to allow login in the first place).
Note also that you need to use public key authentication; password logins no longer work. This is probably the single biggest security gain you can get with SSH, so it's worth the effort.
Extra information
You can set the shell of the sftponly users to /sbin/nologin if you want, according to your own tastes.
This configuration limits sftponly users to their homedirectory. If you do not want that, remove the ChrootDirectory %h directive.
For bonus points, have a look at restricting who can su to root; add a system group called wheel, and add/enable auth required pam_wheel.so in /etc/pam.d/su.
answered 3 hours ago
marcelmmarcelm
1,190410
1
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
2 hours ago
add a comment |
Edit your /etc/ssh/sshd_config to contain:
Match User [SFTP user]
ForceCommand internal-sftp
Restart sshd. If you have multiple users put them all on the match user line separated by commas like so:
Match User User1,User2,User3
The key to configuring sftp to not allow shell access is to limit users via the ForceCommand option.
answered 5 hours ago
kemotepkemotep
2,3643720
Ok I did follow all steps but it did not log in
– Sollosa
4 hours ago
1
@Sollosa Try withMatch User [SFTP user]ForceCommand internal-sftponly, without chrooting stuff.
– Martin Prikryl
4 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
4 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
4 hours ago
add a comment |
just change their default shell to /sbin/nologin. Assuming most varieties of Linux:
# usermod -s /sbin/nologin username
answered 5 hours ago
MellaMella
223111
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
5 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
5 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's alsoSubsystem sftp internal-sftp) (or maybeForceCommand internal-sftp). If there's commonSubsystem sftp /path/to/sftp-server,nologinwill prevent even SFTP.
– Martin Prikryl
4 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503312%2fis-it-possible-to-grant-users-sftp-access-without-shell-access-if-yes-how-is-i%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I like the following setup for managing SSH access, which I use at work to manage a group of users on small fleet of servers.
Its key feature is managing SSH rights through Unix group membership, and having pretty tight permissions by default.
Setting up
Install software (optional but useful):
yum install members # or apt install members
Add groups:
addgroup --system allowssh
addgroup --system sftponly
In /etc/ssh/sshd_config, ensure that the following to settings are No:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
And at the end of /etc/ssh/sshd_config, add these two stanzas:
Match Group allowssh
PubkeyAuthentication yes
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
(don't forget to restart SSH after editing the file)
Explanation
So, what does all this do?
- It always disables root logins, as an extra security measure.
- It always disables password-based logins (easily the biggest security issue with SSH).
- It only allows pubkey login for users in the
allowsshgroup. - Users in the
sftponlygroup cannot get a shell over SSH, only SFTP.
Managing who has access is then simply done by managing group membership (these changes take effect immediately, no SSH restart required):
# adduser marcelm allowssh
# members allowssh
marcelm
# deluser marcelm allowssh
# members allowssh
#
Note that your sftp users need to be members of both sftponly (to ensure they won't get a shell), and of allowssh (to allow login in the first place).
Note also that you need to use public key authentication; password logins no longer work. This is probably the single biggest security gain you can get with SSH, so it's worth the effort.
Extra information
You can set the shell of the sftponly users to /sbin/nologin if you want, according to your own tastes.
This configuration limits sftponly users to their homedirectory. If you do not want that, remove the ChrootDirectory %h directive.
For bonus points, have a look at restricting who can su to root; add a system group called wheel, and add/enable auth required pam_wheel.so in /etc/pam.d/su.
answered 3 hours ago
marcelmmarcelm
1,190410
1
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
2 hours ago
add a comment |
I like the following setup for managing SSH access, which I use at work to manage a group of users on small fleet of servers.
Its key feature is managing SSH rights through Unix group membership, and having pretty tight permissions by default.
Setting up
Install software (optional but useful):
yum install members # or apt install members
Add groups:
addgroup --system allowssh
addgroup --system sftponly
In /etc/ssh/sshd_config, ensure that the following to settings are No:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
And at the end of /etc/ssh/sshd_config, add these two stanzas:
Match Group allowssh
PubkeyAuthentication yes
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
(don't forget to restart SSH after editing the file)
Explanation
So, what does all this do?
- It always disables root logins, as an extra security measure.
- It always disables password-based logins (easily the biggest security issue with SSH).
- It only allows pubkey login for users in the
allowsshgroup. - Users in the
sftponlygroup cannot get a shell over SSH, only SFTP.
Managing who has access is then simply done by managing group membership (these changes take effect immediately, no SSH restart required):
# adduser marcelm allowssh
# members allowssh
marcelm
# deluser marcelm allowssh
# members allowssh
#
Note that your sftp users need to be members of both sftponly (to ensure they won't get a shell), and of allowssh (to allow login in the first place).
Note also that you need to use public key authentication; password logins no longer work. This is probably the single biggest security gain you can get with SSH, so it's worth the effort.
Extra information
You can set the shell of the sftponly users to /sbin/nologin if you want, according to your own tastes.
This configuration limits sftponly users to their homedirectory. If you do not want that, remove the ChrootDirectory %h directive.
For bonus points, have a look at restricting who can su to root; add a system group called wheel, and add/enable auth required pam_wheel.so in /etc/pam.d/su.
answered 3 hours ago
marcelmmarcelm
1,190410
1
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
2 hours ago
add a comment |
I like the following setup for managing SSH access, which I use at work to manage a group of users on small fleet of servers.
Its key feature is managing SSH rights through Unix group membership, and having pretty tight permissions by default.
Setting up
Install software (optional but useful):
yum install members # or apt install members
Add groups:
addgroup --system allowssh
addgroup --system sftponly
In /etc/ssh/sshd_config, ensure that the following to settings are No:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
And at the end of /etc/ssh/sshd_config, add these two stanzas:
Match Group allowssh
PubkeyAuthentication yes
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
(don't forget to restart SSH after editing the file)
Explanation
So, what does all this do?
- It always disables root logins, as an extra security measure.
- It always disables password-based logins (easily the biggest security issue with SSH).
- It only allows pubkey login for users in the
allowsshgroup. - Users in the
sftponlygroup cannot get a shell over SSH, only SFTP.
Managing who has access is then simply done by managing group membership (these changes take effect immediately, no SSH restart required):
# adduser marcelm allowssh
# members allowssh
marcelm
# deluser marcelm allowssh
# members allowssh
#
Note that your sftp users need to be members of both sftponly (to ensure they won't get a shell), and of allowssh (to allow login in the first place).
Note also that you need to use public key authentication; password logins no longer work. This is probably the single biggest security gain you can get with SSH, so it's worth the effort.
Extra information
You can set the shell of the sftponly users to /sbin/nologin if you want, according to your own tastes.
This configuration limits sftponly users to their homedirectory. If you do not want that, remove the ChrootDirectory %h directive.
For bonus points, have a look at restricting who can su to root; add a system group called wheel, and add/enable auth required pam_wheel.so in /etc/pam.d/su.
answered 3 hours ago
marcelmmarcelm
1,190410
I like the following setup for managing SSH access, which I use at work to manage a group of users on small fleet of servers.
Its key feature is managing SSH rights through Unix group membership, and having pretty tight permissions by default.
Setting up
Install software (optional but useful):
yum install members # or apt install members
Add groups:
addgroup --system allowssh
addgroup --system sftponly
In /etc/ssh/sshd_config, ensure that the following to settings are No:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
And at the end of /etc/ssh/sshd_config, add these two stanzas:
Match Group allowssh
PubkeyAuthentication yes
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
(don't forget to restart SSH after editing the file)
Explanation
So, what does all this do?
- It always disables root logins, as an extra security measure.
- It always disables password-based logins (easily the biggest security issue with SSH).
- It only allows pubkey login for users in the
allowsshgroup. - Users in the
sftponlygroup cannot get a shell over SSH, only SFTP.
Managing who has access is then simply done by managing group membership (these changes take effect immediately, no SSH restart required):
# adduser marcelm allowssh
# members allowssh
marcelm
# deluser marcelm allowssh
# members allowssh
#
Note that your sftp users need to be members of both sftponly (to ensure they won't get a shell), and of allowssh (to allow login in the first place).
Note also that you need to use public key authentication; password logins no longer work. This is probably the single biggest security gain you can get with SSH, so it's worth the effort.
Extra information
You can set the shell of the sftponly users to /sbin/nologin if you want, according to your own tastes.
This configuration limits sftponly users to their homedirectory. If you do not want that, remove the ChrootDirectory %h directive.
For bonus points, have a look at restricting who can su to root; add a system group called wheel, and add/enable auth required pam_wheel.so in /etc/pam.d/su.
answered 3 hours ago
marcelmmarcelm
1,190410
edited 2 hours ago
answered 3 hours ago
marcelmmarcelm
1,190410
answered 3 hours ago
marcelmmarcelm
1,190410
answered 3 hours ago
marcelmmarcelm
1,190410
1,190410
1
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
2 hours ago
add a comment |
1
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
2 hours ago
1
1
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
2 hours ago
This should be the accepted answer. It provides the solution as well as breaking down the reasoning behind each step.
– kemotep
2 hours ago
add a comment |
Edit your /etc/ssh/sshd_config to contain:
Match User [SFTP user]
ForceCommand internal-sftp
Restart sshd. If you have multiple users put them all on the match user line separated by commas like so:
Match User User1,User2,User3
The key to configuring sftp to not allow shell access is to limit users via the ForceCommand option.
answered 5 hours ago
kemotepkemotep
2,3643720
Ok I did follow all steps but it did not log in
– Sollosa
4 hours ago
1
@Sollosa Try withMatch User [SFTP user]ForceCommand internal-sftponly, without chrooting stuff.
– Martin Prikryl
4 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
4 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
4 hours ago
add a comment |
Edit your /etc/ssh/sshd_config to contain:
Match User [SFTP user]
ForceCommand internal-sftp
Restart sshd. If you have multiple users put them all on the match user line separated by commas like so:
Match User User1,User2,User3
The key to configuring sftp to not allow shell access is to limit users via the ForceCommand option.
answered 5 hours ago
kemotepkemotep
2,3643720
Ok I did follow all steps but it did not log in
– Sollosa
4 hours ago
1
@Sollosa Try withMatch User [SFTP user]ForceCommand internal-sftponly, without chrooting stuff.
– Martin Prikryl
4 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
4 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
4 hours ago
add a comment |
Edit your /etc/ssh/sshd_config to contain:
Match User [SFTP user]
ForceCommand internal-sftp
Restart sshd. If you have multiple users put them all on the match user line separated by commas like so:
Match User User1,User2,User3
The key to configuring sftp to not allow shell access is to limit users via the ForceCommand option.
answered 5 hours ago
kemotepkemotep
2,3643720
Edit your /etc/ssh/sshd_config to contain:
Match User [SFTP user]
ForceCommand internal-sftp
Restart sshd. If you have multiple users put them all on the match user line separated by commas like so:
Match User User1,User2,User3
The key to configuring sftp to not allow shell access is to limit users via the ForceCommand option.
answered 5 hours ago
kemotepkemotep
2,3643720
edited 4 hours ago
answered 5 hours ago
kemotepkemotep
2,3643720
answered 5 hours ago
kemotepkemotep
2,3643720
answered 5 hours ago
kemotepkemotep
2,3643720
2,3643720
Ok I did follow all steps but it did not log in
– Sollosa
4 hours ago
1
@Sollosa Try withMatch User [SFTP user]ForceCommand internal-sftponly, without chrooting stuff.
– Martin Prikryl
4 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
4 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
4 hours ago
add a comment |
Ok I did follow all steps but it did not log in
– Sollosa
4 hours ago
1
@Sollosa Try withMatch User [SFTP user]ForceCommand internal-sftponly, without chrooting stuff.
– Martin Prikryl
4 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
4 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
4 hours ago
Ok I did follow all steps but it did not log in
– Sollosa
4 hours ago
Ok I did follow all steps but it did not log in
– Sollosa
4 hours ago
1
1
@Sollosa Try with
Match User [SFTP user] ForceCommand internal-sftp only, without chrooting stuff.– Martin Prikryl
4 hours ago
@Sollosa Try with
Match User [SFTP user] ForceCommand internal-sftp only, without chrooting stuff.– Martin Prikryl
4 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
4 hours ago
@MartinPrikryl it worked Martin, thanks, I just removed chrootdirectory parameter & viola
– Sollosa
4 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
4 hours ago
@MartinPrikryl the post has been corrected. Thank you for pointing out the key parts.
– kemotep
4 hours ago
add a comment |
just change their default shell to /sbin/nologin. Assuming most varieties of Linux:
# usermod -s /sbin/nologin username
answered 5 hours ago
MellaMella
223111
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
5 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
5 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's alsoSubsystem sftp internal-sftp) (or maybeForceCommand internal-sftp). If there's commonSubsystem sftp /path/to/sftp-server,nologinwill prevent even SFTP.
– Martin Prikryl
4 hours ago
add a comment |
just change their default shell to /sbin/nologin. Assuming most varieties of Linux:
# usermod -s /sbin/nologin username
answered 5 hours ago
MellaMella
223111
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
5 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
5 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's alsoSubsystem sftp internal-sftp) (or maybeForceCommand internal-sftp). If there's commonSubsystem sftp /path/to/sftp-server,nologinwill prevent even SFTP.
– Martin Prikryl
4 hours ago
add a comment |
just change their default shell to /sbin/nologin. Assuming most varieties of Linux:
# usermod -s /sbin/nologin username
answered 5 hours ago
MellaMella
223111
just change their default shell to /sbin/nologin. Assuming most varieties of Linux:
# usermod -s /sbin/nologin username
answered 5 hours ago
MellaMella
223111
answered 5 hours ago
MellaMella
223111
answered 5 hours ago
MellaMella
223111
answered 5 hours ago
MellaMella
223111
223111
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
5 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
5 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's alsoSubsystem sftp internal-sftp) (or maybeForceCommand internal-sftp). If there's commonSubsystem sftp /path/to/sftp-server,nologinwill prevent even SFTP.
– Martin Prikryl
4 hours ago
add a comment |
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
5 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
5 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's alsoSubsystem sftp internal-sftp) (or maybeForceCommand internal-sftp). If there's commonSubsystem sftp /path/to/sftp-server,nologinwill prevent even SFTP.
– Martin Prikryl
4 hours ago
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
5 hours ago
I have tried it, but user is not able to login via sftp, I don't know why. I'm using centos btw.
– Sollosa
5 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
5 hours ago
@Sollosa Probably either a permission problem in your sftp chroot, or sshd_config has a problem. You should update your question to include the permissions of your chroot directory, and your sshd_config with any sensitive information redacted.
– Mella
5 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's also
Subsystem sftp internal-sftp) (or maybe ForceCommand internal-sftp). If there's common Subsystem sftp /path/to/sftp-server, nologin will prevent even SFTP.– Martin Prikryl
4 hours ago
I believe (though I cannot test it now) that this allows SFTP only if there's also
Subsystem sftp internal-sftp) (or maybe ForceCommand internal-sftp). If there's common Subsystem sftp /path/to/sftp-server, nologin will prevent even SFTP.– Martin Prikryl
4 hours ago
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503312%2fis-it-possible-to-grant-users-sftp-access-without-shell-access-if-yes-how-is-i%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
