6

Is it possible to disable direct login for normal users (like oracle) in Linux but allow scp and sftp for that use?

AdminBee
  • 22,803
Arvind Kumar
  • 61

4 Answers4

5

Methods such as creating the file /etc/nologin, setting account login shells to /bin/false or /sbin/nologin effectively disable user accounts from logging into an interactive shell, but do not protect the system.

If you want to specifically restrict a user to using scp or sftp only, install a restricted shell that is designed to do exactly that. The rssh package is a restricted shell designed to work with OpenSSH. 

: rssh is a restricted shell for use with OpenSSH, allowing only scp
: and/or sftp. For example, if you have a server which you only want
: to allow users to copy files off of via scp, without providing shell
: access, you can use rssh to do that. It is a alternative to scponly.

You should seriously consider setting a chroot for the users logging in with the restricted rssh shell.

Read and understand the security implications of restricting users in such a way. Start with the man pages for rssh and rssh.conf. You should also understand what a chroot is and how it works.

Community
  • 1
George M
  • 13,959
  • 1
    This answer is obsolete. rssh is not maintained and it has security vulnerabilities: https://www.cvedetails.com/vulnerability-list/vendor_id-2291/Rssh.html Debian and Ubuntu at least have removed it from all more recent repos. – Uwe Geuder Jul 30 '22 at 18:21
2

You can Add this to sshd_config:

Match User oracle
        ForceCommand set - ""$SSH_ORIGINAL_COMMAND; [ "$1" = "scp" ] || exit 1; CMD=`IFS='\`&;<>'; set - ""$SSH_ORIGINAL_COMMAND; echo $1`; [ "$CMD" ] || exit 1; exec $CMD

Here, I'm matching the user 'oracle'. Instead you can use Match group scponly to match users within the 'scponly' group. If anyone tries to connect in a way that doesn't run scp, then it will silently exit with return code 1.

If the account uses key-based authentication, you can prepend the key in the user's .ssh/authorized_keys file with command="<above commands>".

While I've added some safety against manipulating the file to cause a rogue command to be executed (by truncating at any &``;<> characters), I can't be sure that this can't be worked around some way I haven't thought of.

This is all a bit long and messy to stick into an sshd_config file, and a typo could break stuff for other users. It might be better to create a script that does the checking for "scp", and then just call that script from the ForceCommand, thus making the mods in sshd_config much simpler. Check out https://serverfault.com/questions/749474/ssh-authorized-keys-command-option-multiple-commands for some examples of this.

jezzaaaa
  • 21
  • 2
1

Yes, that is possible.

  1. Set their login shell appropriately, e.g. by chsh -s /bin/false ${user}.
  2. Tell sshd to use the internal sftp-server 
    Match User ${user}
  ForceCommand internal-sftp
    Match blocks continue until the next Match block or the end of the file (indentation is just for humans), so it might be easiest to add this configuration at the end of the file.

(Substitute ${user} with the desired username.)

Note that clients older than ssh version 9.0 can only use sftp with this configuration. From version 9.0 onwards scp works again because it has been changed to use sftp protocol internally.

Uwe Geuder
  • 706
0

The login shell can be changed from bash to /usr/sbin/nologin or /bin/false do prevent a normal login. The login shell can be changed with usermod:

usermod user_name -s /usr/sbin/nologin
fefe
  • 109
  • Some sftp clients aren't using proper sftp, but rather trying to log on and execute basic commands like cd, ls, ... . In that case use scp or another sftp client program. – jippie May 05 '12 at 06:35
  • This does not work at least in Ubuntu 20.04 default configuration, it uses the user's login shell to start the sftp-server. – Uwe Geuder Jul 30 '22 at 18:05