This is an informational Question that I'll ask a Moderator to close so it'll be in the solution DB.
I had a need recently to, as I migrated shell accounts off of a particular server, disable SSH for the migrated users, but still leave sftp and scp available to them; and, of course, not affect users who had yet to be migrated.
The environment was SPARC Solaris v8 using OpenSSH v3.8p1 (OpenSSL v0.9.7d) with gcc v3.3.2.
I did a LOT of searching for an answer. I tried setting the user account's shell (in /etc/passwd) to oddball things like /bin/ftponly (which was a shell script that told them they couldn't login) - that just plain didn't work; sshd choked on the script, and the user couldn't login with sftp/scp. Adding the user ID to DenyUsers in sshd_config was a bust - that not only locks them out of ssh, but also sftp and scp. Another site suggested setting the user's shell to the sftp-server binary, but I really did not like the security implications (OK, so maybe that wasn't 100% rational, but it made my teeth itch).
Then I found Derek Martin's rssh utility (
http://www.pizzashack.org/rssh). Great utility, compiled cleanly on the first try, worked as advertised. Solaris gives it problems compiling as a static binary, and the issue with compiling it as a dynamic binary is that if you don't put "PermitUserEnvironment no" in sshd_config, its possible for users to get around the restrictions (however, there's no privledge escalation issue - they can hack their own account, but not anyone else's). But I have that option set in my sshd_config anyway, so it wasn't an issue for me.
Anyway, if you find yourself in the situation of having to allow sftp/scp/rsync/rdist/cvs access but don't want to allow the user ID to ssh, and want to do it in a clean, secure manner, I think rssh fits the bill. No mucking about with scripts and no using the sftp-server binary as a shell.
Start Free Trial
