Allow sftp and su access for a user while blocking ssh access

Solution Verified - Updated -

Environment

  • Red Hat Enteprise Linux 6
  • Red Hat Enteprise Linux 7

Issue

How to grant only the following access privileges to a user:

  • User should be able to login via ssh.

  • By logging in as another user, it should be possible to use 'su' to switch to the user. ie user should have a shell

  • User should be able to login via sftp

Resolution

Make the following configuration change in /etc/ssh/sshd_config file and restart sshd service.

Subsystem       sftp    internal-sftp
Match User user_name
        ForceCommand internal-sftp

Root Cause

With the 'Match' directive available in openssh package  shipped with Red Hat Enteprise Linux 6, it is possible to assign  internal-sftp to 'users / group' which gives only sftp access. As  user has a shell defined in passwd file, su will still work.

Openssh package shipped with Red Hat Enteprise Linux 5 and older  versions does not support 'Match' directive and hence, the above  requirement can be accomplished only by running two instances of openssh  server

Diagnostic Steps

# sftp user_name@localhost
Connecting to localhost...
user_name@localhost's password: 
sftp> quit



# ssh user_name@localhost
user_name@localhost's password: 

Connection to localhost closed.



# su - user_name
$ whoami 
user_name

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

Log in to comment
IR Newbie 7 points
6 August 2018 10:08 AM

Hi

My simple requirement is to allow winscp or filezilla clients from my desktop to the Rhel 7.5 VM once i followed the above , even unable to restart the sshd service

Aug 06 03:00:39 localhost.localdomain systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a Aug 06 03:00:39 localhost.localdomain systemd[1]: Failed to start OpenSSH server daemon. Aug 06 03:00:39 localhost.localdomain systemd[1]: Unit sshd.service entered failed state. Aug 06 03:00:39 localhost.localdomain systemd[1]: sshd.service failed.

then i removed the sshd_config from the file

Subsystem sftp internal-sftp Match User user_name ForceCommand internal-sftp

and able to restart the sshd service using systemctl status sshd.service

Please advise how i can open an access as my tetsing stucks due to this challenge, note i am able to connect using putty to the linux VM via root but unable to connect via FileZilla / Winscp using even root crdentials