Disable SSH for SFTP Users in UNIX and Linux

/ Christopher Paquin

Lego_IronManSFTP is a file transfer mechanism that is an extension of the SSH (Secure Shell) protocol and by design they share the same configuration file (/etc/ssh/sshd_config). By default when a user is given access to a server via SSH they also gain access to a server via SFTP. however it is pretty easy to disallow SFTP access with a couple short lines added to the end of the sshd_config.

In this example we could create a Unix group of "no-sftp" and add whatever users we want to into this group. Then drop the two lines below into the sshd_config and block sftp access

Match Group no-sftp
Subsystem   sftp  /bin/false

However lets consider the opposite scenario…

You have users that you want to be able to use SFTP to transfer files but you do not want to allow the user to login to the server. You can't just drop a couple lines in the sshd_config to allow sftp but not ssh, because ssh does not work this way. You also cannot just change the users shell to something like /bin/false, as this will also block SFTP access as well as SSH access. Note: It is for this very reason that I personally choose never to choose to use SFTP as a file transfer protocol… this is why we have VSFTP. By using a separate daemon with a separate config file you have a lot more control over your environment.

So how do you disable ssh only for these users you ask? Well lets look at Linux and Solaris first.

First drop the script below into /usr/local/bin/sftponly and make it executable.

#!/bin/bash
if [[ "$2" = *sftp-server ]]
then
        exec /bin/bash "$@"
else
        echo "User '$LOGNAME' is only allowed access via sftp."
        exit 1
fi

Now for any user that you need to block ssh access, just change their shell to /usr/local/bin/sftponly, and if they come in via any other method then SFTP they will be booted right off the box. But if they come in via SFTP its business as usual.

Now AIX is a bit different – here there is actually a built in mechanism for dealing with such a situation. Here you change the user's login shell to /usr/sbin/sftp-server which pretty much does the same thing (in regards to blocking ssh access) but without the fancy error message.

Note that this is obviously not an ideal solution, but if you are like me and you are stuck with a piss poor configuration and need to block SSH access without re-inventing the wheel, or breaking any existing processes.. and you need to do so quickly and easily this is the best solution for the money.

Related articles

Install and Configure SNMP on the Asus RT-AC66U Router
HomeLab: Simple DHCP Service Configuration on a Cisco Router
Secure File Transfer Protocol (sftp)
How to set up Chroot Sftp?
Options for file sharing via SSH in OS X