I have an array of users who need to just upload files to their set homedirs. I think sftp would suffice, but I don't want them to login via shell. So is it possible? My platform is centos 7, user's homedirs are stored lets say /personal/$user
I created user with these settings
useradd -m -d /personal/user1 -s /sbin/nologin
assigned user a passwd, then when I use sftp to login to the machine, it says cannot connect.
I like the following setup for managing SSH access, which I've used to manage a group of users on small fleets of servers. Security and ease of management is high on the list of my priorities.
Its key features are easily managing SSH rights through Unix group membership, having tightly defined permissions, and being secure by default.
Install software (optional but useful):
yum install members # or apt install members
Add groups:
addgroup --system allowssh
addgroup --system sftponly
Add a new file /etc/ssh/sshd_config.d/strict.conf (you can replace strict with a better name), with the following contents:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
Match Group allowssh
PubkeyAuthentication yes
Match Group sftponly
ChrootDirectory %h
DisableForwarding yes
ForceCommand internal-sftp
This assumes that your OpenSSH setup includes sshd_config.d/*.conf to override the main config. Check your SSH documentation, or verify that the main sshd_config has an appropriate Include directive. If your setup does not support this, you could edit sshd_config directly instead.
Also, don't forget to restart the SSH service after modifying the configuration.
So, what does all this do?
allowssh group.sftponly group cannot get a shell over SSH, only SFTP.Managing who has access is then simply done by managing group membership (group membership changes take effect immediately, no SSH restart required; but note that existing sessions are not affected). members allowssh will show all users that are allowed to log in over SSH, and members sftponly will show all users that are limited to SFTP.
# adduser marcelm allowssh
# members allowssh
marcelm
# deluser marcelm allowssh
# members allowssh
#
Note that your sftp users need to be members of both sftponly (to ensure they won't get a shell), and of allowssh (to allow login in the first place).
Please note that this configuration does not allow password logins; all accounts need to use public key authentication. This is probably the single biggest security win you can get with SSH, so I argue it's worth the effort even if you have to start now.
If you really don't want this, then also add PasswordAuthentication yes to the Match Group allowssh stanza. This will allow both pubkey and password auth for allowssh users. Alternatively, you can add another group (and Match Group stanza) to selectively grant users password-based logins.
This configuration limits any sftponly user to their home directory. If you do not want that, remove the ChrootDirectory %h directive.
If you do want the chrooting to work, it's important that the user's home directory (and any directory above it) is owned by root:root and not writable by group/other. It's OK for subdirectories of the home directory to be user-owned and/or writable.
Yes, the user's home directory must be root-owned and unwritable to the user. Sadly, there are good reasons for this limitation. Depending on your situation, ChrootDirectory /home might be a good alternative.
Setting the shell of the sftponly users to /sbin/nologin is neither necessary nor harmful for this solution, because SSH's ForceCommand internal-sftp overrides the user's shell.
Using /sbin/nologin may be helpful to stop them logging in via other ways (physical console, samba, etc) though, so it's still recommended.
This setup does not allow direct root logins over SSH; this forms an extra layer of security. If you really do need direct root logins, change the PermitRootLogin directive to forced-commands-only, to allow only key-based forced commands through /root/.ssh/authorized_keys. As a last resort, you can use prohibit-password to allow full key-based logins. Avoid yes.
For bonus points, have a look at restricting who can su to root; add a system group called wheel, and add/enable auth required pam_wheel.so in /etc/pam.d/su.
Match Address directive, to grant different access levels (like allow ssh only from internal IPs, etc)
– Robert Riedl
Feb 28 '19 at 08:24
Edit your /etc/ssh/sshd_config to contain:
Match User [SFTP user]
ForceCommand internal-sftp
Restart sshd. If you have multiple users put them all on the match user line separated by commas like so:
Match User User1,User2,User3
The key to configuring sftp to not allow shell access is to limit users via the ForceCommand option.
Match User [SFTP user] ForceCommand internal-sftp only, without chrooting stuff.
– Martin Prikryl
Feb 27 '19 at 12:36
chroot the users so they can't navigate up and out of your defined "jail"
– ivanivan
Feb 28 '19 at 18:31
just change their default shell to /sbin/nologin. Assuming most varieties of Linux:
# usermod -s /sbin/nologin username
Subsystem sftp internal-sftp) (or maybe ForceCommand internal-sftp). If there's common Subsystem sftp /path/to/sftp-server, nologin will prevent even SFTP.
– Martin Prikryl
Feb 27 '19 at 12:21
you can use tftp. anything over ssh will require a some auth (key|pass).
while tftp can be secured, it may be worth revisiting the decision to provide access to anything without authentication.
tftp also has significant issues from a security standpoint. It might be tolerable on a locked-down, well-monitored network but I would not recommend using it for any situation where there's a secure alternative.
– Chris Adams
Jan 13 '21 at 00:33
There is mysecureshell which allows to restrict users to SFTP and even limit which paths are accessible.
Also there is rrsync for limiting users to rsync only.
