Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to restrict few users only to have SFTP access ( Linux Advanced Server 2.4). They should not be able to login thro SSH. I am sure there are lot of ways. doing so. I think even from tcp Wrappers I would be able to restict the users only to SFTP.
My concern is the security issue.
I am not sure if this is the way to do in the Production environment.
I appreciate if you can provide me some better ways to achieve this.
1. in your /etc/ssh/ssh_config or sshd_config, you can add a line to "DenyUsers" eg:
DenyUsers bob alex
Or, you could SCP (and only let people use WinSCP or a similar programme). You can download and insall the scponly shell (and then change the entry in /etc/passwd . This means that users do not have a shell which they can type in. They can only use SCP.
BUT: compile the scponly shell with --enable-chrooted-binary which results in having a second executable, scpolnyc.
Otherwise your users can browse over the complete system (wherever they have access of course). We stumbled upon this when we accessed our SCP Server from a Windows box with WinSCP.
There is a little program called scpjailer which sets up a complete scponly chrooted environment in conjunction with the scponly shell.
yes, he does need to have them. But scpjailer delivers an all in one library, busybox. Itīs in fact one executable which implements all necessary libraries.
It looks cluttered but it is necessary. The scp user needs these to navigate through the file system und execute file operations. As you jailed the user in a directory the user does not have access to the system libraries and executables anymore and needs his own below the jailed directory.
Thatīs why there are the /bin, /etc, /lib etc. directories.
Be warned that the last release (0.3) of scpjailer is out of sync with the busybox/openssh/uclib releases! This could easily be a security hole.
The build script _does_not_ work just by changing the versions in the script, but somebody (I'm trying, but I'm not too good at it) should attempt to fix it, since the upstream author (http://tjw.org/scpjailer/) appears to have abandoned maintainence for the time being.
"As far as I'm concerned, rssh is done. Period. Barring any bugs found, that is... I will fix reported bugs as time allows. Development of this program is, however, anything but a priority for me right now."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.