Allow SFTP but disallow SSH?

linux centos ftp sftp

Solution 1:

Starting with version 4.9 OpenSSH (not available in centos 5.x but ChrootDirectory feature was backported) has an internal-sftp subsystem:

Subsystem sftp internal-sftp

And then block other uses:

Match group sftponly
     ChrootDirectory /upload/%u
     X11Forwarding no
     AllowTcpForwarding no
     AllowAgentForwarding no
     ForceCommand internal-sftp

Add your users to the sftponly group. The chroot directory must be owned by root, and cannot be group-writeable, so create a subdirectory for each user, e.g. uploads or home/$username that's owned by the appropriate user (if you match their home directory, it will be the default working directory when connecting). I'd also set /bin/false as the user's shell.

As an example, users can then upload single files with:

sftp username@hostname <<< 'put filename.ext uploads/'

(scp will hopefully soon be modified to use sftp so this will become easier)

Solution 2:

There is a shell scponly what does this. It can chroot too.

Related

iptables Tips & Tricks [closed]
ssh delay when connecting
3rd party SSD drive in HP Proliant server only shows 3G transfer speed
Redirecting from http to https in Apache
Can I SSH into my Amazon EC2 server instance if I don't have .pem file from when instance was created?
What is Apache's equivalent of Nginx's try_files?
CNAME for top of domain?
How can I chroot ssh connections?
VMware Linux Server -- how can you tell if you are a vm or real hardware?
Can a Reverse Proxy use SNI with SSL pass through?
What is the difference between Nginx variables $host, $http_host, and $server_name?
Avoid linux out-of-memory application teardown