SFTP without valid login shell
Cockerham, Bill
bill.cockerham at aquila.com
Tue May 21 17:07:39 CDT 2002
Another method would be to give them all the same shell IE /bin/bash. Then,
the first line of their .bashrc would be "exit". It's a bandaid approach I
know, but it should work. We have to use it for some applications under
Exceed. This should allow FTP, but will automatically exit them if they try
to login with telnet. It will only log them out on a log-in of ssh if you
have the sshd set to run login scripts.
Bill
-----Original Message-----
From: Shannon Merritt [mailto:smerritt at home.aafp.org]
Sent: Tuesday, May 21, 2002 10:54 AM
To: kclug at kclug.org
Subject: SFTP without valid login shell
On RedHat 7.2 (also on our Solaris servers), we allow our web site
design team to upload content via SFTP on port 22. Previously we used
the standard FTP protocol (port 21). With regular FTP uploads, the
user's entry in the /etc/passwd file could contain a shell reference
like "/bin/false" as long as that shell was defined in /etc/shells. Now
that we are using a secure protocol (SFTP), it seems to require that the
user have a legitimate shell in the /etc/passwd file. The problem this
presents is that they can now log in using a standard SSH client. I
want to restrict their access so that they only have SFTP access, not
shell access.
Any ideas on how I can use a non-legitimate shell in the /etc/passwd
file but still allow SFTP sessions?
Shannon Merritt
More information about the Kclug
mailing list