Mailing List Archive: OpenSSH: Dev

Method to permit ssh while denying sftp

Index | Next | Previous | View Threaded

bburnell at cisco

Apr 2, 2009, 9:21 AM

Post #1 of 4 (773 views)
Permalink

Method to permit ssh while denying sftp

Is there a way to permit ssh sessions while denying sftp with openssh
3.8?

In openssh 4.4+ this is possible using the Match directive with Force
Command but I don't know how to configure this in older versions.

Thanks in advance for any guidance.

Brenda

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

jmknoble at pobox

Apr 2, 2009, 2:42 PM

Post #2 of 4 (732 views)
Permalink

Re: Method to permit ssh while denying sftp [In reply to]

On 2009-04-02 11:21, Brenda Burnell (bburnell) wrote:

: Is there a way to permit ssh sessions while denying sftp with openssh
: 3.8?
:
: In openssh 4.4+ this is possible using the Match directive with Force
: Command but I don't know how to configure this in older versions.
:
: Thanks in advance for any guidance.

Are you sure you asked the question you intended to ask?

Permitting ssh while denying sftp makes no sense. If a user has ssh
access, she can transmit files using any of the following methods:

- Using 'scp' instead of 'sftp'
- Executing 'sftp-server' manually
- Executing another file transfer program, such as 'tar' or 'cat'

Perhaps you could explain in more detail what you're intending to allow
and prevent.

--
jim knoble | jmknoble [at] pobox | http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

imorgan at nas

Apr 2, 2009, 3:51 PM

Post #3 of 4 (720 views)
Permalink

Re: Method to permit ssh while denying sftp [In reply to]

On Thu, Apr 02, 2009 at 11:21:12 -0500, Brenda Burnell (bburnell) wrote:
> Is there a way to permit ssh sessions while denying sftp with openssh
> 3.8?
>
>
>
> In openssh 4.4+ this is possible using the Match directive with Force
> Command but I don't know how to configure this in older versions.
>
>
>
> Thanks in advance for any guidance.
>
>
>
> Brenda
>

If you really want to disable sftp support, you could start by not
defining the sftp subsystem in the sshd_config. However, users could
always use the -s option to specify the path to the sftp-server
executable. So you'd have to remove or chmod the executable as well.
But users could still get around that by installing a copy of the
executable in their home directories, assuming that filesystem is not
mounted with the noexec flag.

--
Iain Morgan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

djm at mindrot

Apr 2, 2009, 3:55 PM

Post #4 of 4 (707 views)
Permalink

Re: Method to permit ssh while denying sftp [In reply to]

On Thu, 2 Apr 2009, Iain Morgan wrote:

> If you really want to disable sftp support, you could start by not
> defining the sftp subsystem in the sshd_config. However, users could
> always use the -s option to specify the path to the sftp-server
> executable. So you'd have to remove or chmod the executable as well.
> But users could still get around that by installing a copy of the
> executable in their home directories, assuming that filesystem is not
> mounted with the noexec flag.

... and even then they will still be able to transfer files using
cat, dd, tar and other standard tools, probably ones that are built into
the shell too.

You can't really allow shell access and deny file transfer access.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads