Allow sftp and su access for a user while blocking ssh access
Environment
- Red Hat Enteprise Linux 6
- Red Hat Enteprise Linux 7
Issue
How to grant only the following access privileges to a user:
-
User should be able to login via ssh.
-
By logging in as another user, it should be possible to use 'su' to switch to the user. ie user should have a shell
- User should be able to login via sftp
Resolution
Make the following configuration change in /etc/ssh/sshd_config file and restart sshd service.
Subsystem sftp internal-sftp
Match User user_name
ForceCommand internal-sftp
Root Cause
With the 'Match' directive available in openssh package shipped with Red Hat Enteprise Linux 6, it is possible to assign internal-sftp to 'users / group' which gives only sftp access. As user has a shell defined in passwd file, su will still work.
Openssh package shipped with Red Hat Enteprise Linux 5 and older versions does not support 'Match' directive and hence, the above requirement can be accomplished only by running two instances of openssh server
Diagnostic Steps
# sftp user_name@localhost
Connecting to localhost...
user_name@localhost's password:
sftp> quit
# ssh user_name@localhost
user_name@localhost's password:
Connection to localhost closed.
# su - user_name
$ whoami
user_name
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments