Another method would be to give them all the same shell IE /bin/bash.  Then,
the first line of their .bashrc would be "exit".  It's a bandaid approach I
know, but it should work.  We have to use it for some applications under
Exceed.  This should allow FTP, but will automatically exit them if they try
to login with telnet.  It will only log them out on a log-in of ssh if you
have the sshd set to run login scripts.

Bill

-----Original Message-----
From: Shannon Merritt [mailto:smerritt@home.aafp.org]
Sent: Tuesday, May 21, 2002 10:54 AM
To: kclug@kclug.org
Subject: SFTP without valid login shell

On RedHat 7.2 (also on our Solaris servers), we allow our web site 
design team to upload content via SFTP on port 22.  Previously we used 
the standard FTP protocol (port 21).  With regular FTP uploads, the 
user's entry in the /etc/passwd file could contain a shell reference 
like "/bin/false" as long as that shell was defined in /etc/shells.  Now 
that we are using a secure protocol (SFTP), it seems to require that the 
user have a legitimate shell in the /etc/passwd file.  The problem this 
presents is that they can now log in using a standard SSH client.  I 
want to restrict their access so that they only have SFTP access, not 
shell access.

Any ideas on how I can use a non-legitimate shell in the /etc/passwd 
file but still allow SFTP sessions?

Shannon Merritt