Damien Miller wrote on Fri, Nov 24, 2006 at 12:04:15PM +1100: > On Thu, 23 Nov 2006, Ingo Schwarze wrote: > >> From time to time, people come here to ask: >> How can i set up an account for SFTP only, forbidding shell access? >> >> One common answer is scponly, http://sublimation.org/scponly/wiki/ >> This looks quite powerful, in particular if you intend to chroot. >> >> I just had to implement SFTP only access myself. Reading the scponly >> sources, i realized that the task is nearly trivial as long as you >> only want SFTP, no other protocols, and need no chroot. So i thought >> i might as well share with the list. In case i overlooked anything >> serious, chances are i shall be beaten... ;-) > > In OpenSSH-4.5: > > Match user djm > X11Forwarding no > AllowTCPForwarding no > ForceCommand /usr/libexec/sftp-server
Oops, advertising hacks is certainly a bad idea when standard solutions are already implemented... Sorry for the noise... What happened is this: I first tried the ForceCommand solution (which i do like for commands either redirecting stdio from /dev/null or expecting ASCII input), but didn't much like the fact that users erroneously using ssh(1) instead of sftp(1) will get no error message, but a chance to type into a binary SFTP connection. Doing harm by some ill chance appears improbable as the SSH_FXP_* packet type codes are all below 32, so they do not correspond to printable ASCII characters. All the same, i feared such users might get rather confused. While searching for alternative solutions, i completely forgot about ForceCommand. In some situations, just executing /bin/sh -c <ForceCommand>, regardless of the command supplied to the sshd(8), certainly is the best thing to do. In this speacial case, returning an error message in case of a command mismatch might even be nicer. But that probably won't warrant adding yet another option to sshd_config(5).
