How to disable sftp for some users, but keep ssh enabled?

My project needs me to disable sftp for some users, but those users still need to connect over ssh. Does anyone know how to implement this?

I've seen suggestions to change the file at /etc/ssh/sshd_config, but I'm not sure what to change.

Solution 1:

In general doing this is bad security practice for reasons that others have listed. However, the point of your assignment, I think, is to teach you that you can have conditional config sections based on various criteria.

The way to do this is using a Match conditional block*.

Match User bob
Subsystem   sftp  /bin/false

See sshd_config(5) under the Match section for more information, and matching on Group.

*There's more than one way to do it.

Solution 2:

This doesn't make any sense, it is security through useless obscurity. Any user that can SSH will be able to transfer any file that they are able to read via the SSH session. You will also be able to write, if you have permissions to do so.

As can example, you can download /etc/passwd via ssh using the following method (no scp/sftp session required): ssh [email protected] "cat /etc/passwd" > passwdcopy

If you can see it on your screen via SSH, then you can easily copy it as a file.

The only way this would make sense is if you have a custom restricted shell that enforces a security policy.

However, the inverse of this does make sense (disabling ssh shell but leeaving scp/sftp enabled) because you are not able to execute arbitrary commands via sftp/scp that you can via an ssh shell.

PS: I'm assuming the SSH shell you are granting is a standard shell that allows arbitrary execution. If this is not the case then see this: How to disable sftp subsystem for a specific user or group? and take a look at the Subsystem config option of sshd_config.