On Mon, Apr 14, 2008 at 12:27 PM, Sven Peters <[EMAIL PROTECTED]> wrote: > Hi, > > Try this: > > http://www.debian-administration.org/articles/94 > > --snip-- > > Add user as usually and assign him a password. Then run the following > command (replace the 'username' with real user name): > > [EMAIL PROTECTED] # usermod -s /usr/lib/sftp-server username > > This changes user's shell to sftp-server. > > The last step for this to work is to add '/usr/lib/sftp-server' to > /etc/shells to make it a valid shell, eg. like this: > > [EMAIL PROTECTED] # echo '/usr/lib/stfp-server' >> /etc/shells > > There. Now you've setup a user who can only access your server with SFTP.
Thanks. There are some positive and some negative problems with this solution: 1. It reminded that there is actually a problem with sharing the account (because the remote user can manipulate the authorized_keys file through sftp) so I use a separate account for that now. 2. It still doesn't prevent use of ssh completely, except that ssh to that user gives the sftp server as a daemon. It logs in and gives the /etc/motd file but can't run the shell. This doesn't feel quite right. 3. I added a 'command="/usr/lib/sftp-server"' to the public key line and now I enjoy an almost complete setup: a separate user who can only tough specific directories (but not its own home directory or .ssh or .ssh/authorized_keys) and can only login via sftp. I should probably also chroot that user to prevent it from being able to snoop around but for now I'll stop here (no time). Thanks everyone. --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
