Prevent a unix account from being able to SSH

Question

Possible Duplicate:
Disable direct login for normal users (like oracle) in linux but allow scp and sftp?

I want to prevent a unix account from being able to be SSH'ed with, but it should still be usable for SCP / SFTP.

Is that possible?

The rational is that a unix server uses a generic account for the application and people have been logging on to the box while using that generic account rather than their personal accounts. We want them to SSH to the box using their personal account for audit reasons.

score 9 · Answer 1 · answered Jun 18 '12 at 13:34

It's quite possible, and there are a number of ways to do this. There are kludges and elegant solutions. It all depends on the fine details of what you want to do and how much time you want to invest.

If you have some remote-only users that you want to restrict to scp/sftp, you might want to look at scponly and this set of instructions on how to make it work (assumes Debian).

You could also try rssh, which is another shell replacement to do the same thing.

You should also make a group for these restricted users and (of course) add the users to the group. Then, add something like this to your sshd_config file (often found in /etc/ssh or /etc):

Match Group sftp-only
        ForceCommand internal-sftp
        #ChrootDirectory /somewhere/%u # Optional chroot jail
        #AllowTcpForwarding no         # Disable TCP forwarding
        #X11Forwarding no              # Disable X11 forwarding
        #Umask 700                     # Set the umask

This will disable/force things like TCP forwarding for these users. You obviously need to remove the # for the ones you need. Check the sshd_config(5) manpage for more details on this.

Of the kludges, the simplest is to change the user's shell to false or nologin (on Debian, /bin/nologin and /usr/sbin/nologin respectively). A slightly more complex kludge is to put a check in /etc/profile for the user or the user's group and log them out with a ‘not allowed to log in’ message. If you like to hedge your bets (I do), you can do that as well. Just remember that it's not sufficient on its own.

If you have the Snail Book, chapter 8 (freely available as a sample) also has some recipes.

Similarly, you can specify /usr/libexec/openssh/sftp-server or similar as their login shell. — rjewell, Jun 18 '12 at 19:20

score 2 · Answer 2 · answered Jun 18 '12 at 13:33

Yes this is possible but it is not very easy. There is a program called rssh which if used as the default shell for a user will only allow sftp, scp, rsync, cvs, and rdist. You can of course edit config files to restrict it further.

http://www.pizzashack.org/rssh/

score 0 · Answer 3 · answered Jun 18 '12 at 14:01

0

Have you tried no-pty in $HOME/.ssh/authorized_keys of that user?

man sshd(8), AUTHORIZED_KEYS FILE FORMAT:
     no-pty  Prevents tty allocation (a request to allocate a pty will fail).

answered Jun 18 '12 at 14:01

brownian

101

It works but It is very easy to override. – andcoz Jun 18 '12 at 17:17

Prevent a unix account from being able to SSH

3 Answers3

Linked