A colleague today asked for some guidance around setting up an SFTP and SCP only account on a RedHat based Linux machine.
I sent him a collection of links, including one to the CopSSH project, and he implemented the code on that link, but then struggled when it didn’t work.
Aside from the fact the shell wasn’t copied into /etc/shells (which wasn’t disastrous, but did mean we couldn’t reuse it again later), it was still returning an error on each load.
Doing some digging into it, and running some debugging, I noticed that pscp (the PuTTY SCP) tool uses the SFTP subsystem rather than the SCP command to upload files, so we need to also check that the SFTP server hasn’t been called, instead of the SCP command, and also the SCP command needs to be corrected.
Here follows a script, complete with comments. Personally, I’d save this in /bin/sftponly, created and owned by root, and set to permissions 755 (rwxr-xr-x). Then, set the shell to this for each user which needs to do SFTP or SCP only.
#!/bin/bash
# Based on code from http://www.itefix.no/i2/node/12366
# Amended by Jon Spriggs (jon@sprig.gs)
# Last update at 2011-09-16
# Push the whole received command into a variable
tests=`echo $*`
# Set up a state handler as false
isvalid=0
# Test for the SFTP handler.
# The 0:36 values are the start character and length of the handler string.
if [ "${tests:0:36}" == "-c /usr/libexec/openssh/sftp-server" ]; then
# Set the state handler to true
isvalid=1
# Configure the handling service
use=/usr/libexec/openssh/sftp-server
fi
# Test for the SCP handler.
if [ "${tests:0:6}" == "-c scp" ]; then
# Set the state handler to true
isvalid=1
# Configure the handling service
use=/usr/bin/scp
fi
# If the state handler is set to false (0), exit with an error message.
if [ "$isvalid" == "0" ]; then
echo "SCP only!"
exit 1
fi
# Run the handler
exec $use $*
