Allow sftp and su access for a user while blocking ssh access

Solution Verified - Updated -

Environment

  • Red Hat Enteprise Linux 6
  • Red Hat Enteprise Linux 7

Issue

How to grant only the following access privileges to a user:

  • User should be able to login via ssh.

  • By logging in as another user, it should be possible to use 'su' to switch to the user. ie user should have a shell

  • User should be able to login via sftp

Resolution

Make the following configuration change in /etc/ssh/sshd_config file and restart sshd service.

Subsystem       sftp    internal-sftp
Match User user_name
        ForceCommand internal-sftp

Root Cause

With the 'Match' directive available in openssh package  shipped with Red Hat Enteprise Linux 6, it is possible to assign  internal-sftp to 'users / group' which gives only sftp access. As  user has a shell defined in passwd file, su will still work.

Openssh package shipped with Red Hat Enteprise Linux 5 and older  versions does not support 'Match' directive and hence, the above  requirement can be accomplished only by running two instances of openssh  server

Diagnostic Steps

# sftp user_name@localhost
Connecting to localhost...
user_name@localhost's password: 
sftp> quit



# ssh user_name@localhost
user_name@localhost's password: 

Connection to localhost closed.



# su - user_name
$ whoami 
user_name

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments