Results 1 to 4 of 4

Thread: Allow local shell but not SSH shell

  1. #1
    Join Date
    Jun 2006
    Beans
    101

    Allow local shell but not SSH shell

    SFTPD is available for certain allowed users, except they don't get a shell, so far so good.
    Now the side effect is, that SSHD must be running for SFTPD to work. Now all (non-SFTPD) users could potentially login via SSH instead of just locally in front of the machine.
    How can I prevent SSH remote login for everyone (except for the SFTPD users), so they can only login when they are in fact in front of the PC?

    Oh also is it "PermitRootLogin no" or "AllowRootLogin no"? Seems different websites use one or the other.

    Meanwhile I found out more:
    in sshd_config, typical for linux, various things just do not work as many internet sites claim:
    DenyGroups does not work with a '!' to negate, for example
    DenyGroups !somegroup
    DenyUsers does not work with komma. You need 1 line for each user.
    DenyUsers someone,someonelse <- will NOT work!
    AllowUsers similarly doesn't work in that way.
    I'm using openssh v5.xxx

    So, I solved the problem by just adding a DenyUsers line for everyone. thx
    Last edited by SRTS; December 13th, 2010 at 01:54 AM.

  2. #2
    Join Date
    Feb 2009
    Location
    Dallas, TX
    Beans
    6,697
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Allow local shell but not SSH shell


  3. #3
    Join Date
    Jun 2006
    Beans
    101

    Re: Allow local shell but not SSH shell

    Quote Originally Posted by papibe View Post
    Um thanks, but won't this actually also prevent all local login too if I remove their shells, so they cant login at ALL anymore?

  4. #4
    Join Date
    Feb 2009
    Location
    Dallas, TX
    Beans
    6,697
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Allow local shell but not SSH shell

    Quote Originally Posted by SRTS View Post
    ... so they cant login at ALL anymore?
    They can't. It seems the best solution would be a compromise. Like removing all ssh access to the users, and creating special users that can only sftp to the server. This article explains it in detail:

    How do I allow a user to use scp or sftp, but not allow regular ssh.

    I hope it helps.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •