shell /bin/false allowing SFTP access [Ubuntu 12.04]

I have a Linux installation (Ubuntu 12.04), managed not only by me. I had restricted SSH access to a user using

/usr/sbin/usermod -s /bin/false my_user

This didn't allow neither SFTP access nor console access.

However today, I found out that users with this shell, do have SFTP access and I'm very sure they didn't have access in the past.

Could there be a config change which is allowing this? Unfortunately, I can't contact any of the others guys to see if any accidental changes were made.


It could be that you have

Subsystem       sftp    internal-sftp

and/or

Match Group sftpusers
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no

or

 Match User username
   ChrootDirectory %h
   ForceCommand internal-sftp

configured which will allow users sftp access even if they have a /bin/false shell. If you didn't set this up you could always audit the /var/log/audit.log etc to see who did it by looking for who made edits (everyone does use sudo don't they) to /etc/ssh/sshd_config and restarted the sshd service.