Allow sftp and su access for a user while blocking ssh access

Solution Verified - Updated -

Environment

  • Red Hat Enteprise Linux 6
  • Red Hat Enteprise Linux 7
  • Red Hat Enteprise Linux 8
  • Red Hat Enteprise Linux 9
  • Red Hat Enteprise Linux 10

Issue

How to grant only the following access privileges to a user:

  • User should not be able to login via ssh.

  • By logging in as another user, it should be possible to use 'su' to switch to the user. ie user should have a shell

  • User should be able to login via sftp

Resolution

Make the following configuration change in /etc/ssh/sshd_config file and restart sshd service.

Subsystem       sftp    internal-sftp
Match User user_name
        ForceCommand internal-sftp

Root Cause

With the 'Match' directive available in openssh package  shipped with Red Hat Enteprise Linux 6 or later, it is possible to assign  internal-sftp to 'users / group' which gives only sftp access. As  user has a shell defined in passwd file, su will still work.

Openssh package shipped with Red Hat Enteprise Linux 5 and older  versions does not support 'Match' directive and hence, the above  requirement can be accomplished only by running two instances of openssh  server

Diagnostic Steps

# sftp user_name@localhost
Connecting to localhost...
user_name@localhost's password: 
sftp> quit


# ssh user_name@localhost
user_name@localhost's password: 
Connection to localhost closed.

# The "refusing non-sftp session" error was triggered in /var/log/secure when logging in via SSH.
Jul 24 10:37:56 rhel8u6-1 sshd[xxx]: Accepted password for user_name from xx.xx.xx.xx port xxx ssh2
Jul 24 10:37:56 rhel8u6-1 systemd[2184]: pam_unix(systemd-user:session): session opened for user user_name by (uid=x)
Jul 24 10:37:56 rhel8u6-1 sshd[xxx]: pam_unix(sshd:session): session opened for user user_name by (uid=x)
...
Jul 24 10:37:56 rhel8u6-1 sshd[xxx]: error: Connection from user user_name xx.xx.xx.xx port xxx: refusing non-sftp session [postauth]
Jul 24 10:37:56 rhel8u6-1 sshd[xxx]: Received disconnect from xx.xx.xx.xx port xxx:11: disconnected by user [postauth]


# su - user_name
$ whoami 
user_name

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments