SSH and SFTP

From: grodenhiATgmailDOTcom (grodenhi_at_gmail.com)
Date: 10/03/05 

Date: 3 Oct 2005 12:13:25 -0700

I have a tough problem here..... I have several RHEL 3AS servers
authenticating to a single LDAP server for logins. This works fine. I
want to enable SFTP logins for one server but NOT allow SSH shell to
some users on this server. I know I could change the default shell for
these users not to be /bin/sh but to the sftp daemon binary instead.
This would allow a user to login via sftp/scp but not have interactive
shell access. But the problem is, if I change their shell on the LDAP
server to accomadate this, it will break these users from gaining SSH
interactive shell access on all the other servers. So my questions
are...

1.) Is it possible in either sshd_config or PAM to controll who has
access to interactive console (shell) logins?

2.) I have created a script to use as a default shell. This script
checks for the existence of a block file in a users home directory (not
readable/writtable by the user), if the block file exists, it executes
the sftp-daemon (allowing SFTP access, but not a regular shell), if the
block file does not exist, it will execute a typical /bin/sh (allowing
the user interactive shell). I could then place a block file in the
users' home directories that I want to disable interactive shell.
Since I don't want to break logins (interactive shell) on all the other
servers, I was thinking of renaming /bin/sh to something else (so I can
leave users' default shell on the LDAP server at /bin/sh). Would
replacing /bin/with the shell I just described cause problems (so long
as there's not a block file in the directory of any other script
running via #!/bin/sh a shell would just be called anyhow.

Any better ideas?? Basically I want to break interactive some shell
logins (but allow SCP/SFTP) on one server (while allowing these same
logins interactive shell on other servers), all while using the same
LDAP server. Thanks!!

Relevant Pages

  • stty: : Invalid argument Using SSH
    ... I was using SSH to run a command on a remote server. ... An interactive shell reads commands from user input on ... executes the command on the server in a non-interactive shell. ...
    (comp.unix.shell)
  • Re: : Invalid argument Using SSH
    ... An interactive shell reads commands from user input on ... another server, ssh logs into the server as a specific user, and ... executes the command on the server in a non-interactive shell. ...
    (comp.unix.shell)
  • Re: ssh-cvs without shell logins?
    ... > I would like to use the ssh protocol with cvs, but don't want to allow shell ... > logins on my server. ... If your server is on a Unixoid, man sshd and look at the section ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Compromised Server? Anyone recognize the suspect Services?
    ... I finally discovered that there was a whole folder structure under ... Event viewer shows normal logins, but I did not have it set to record ... there are a bunch of logins for Website Accounts created by the ... order to find those files on the Web Server I had to make sure that System ...
    (microsoft.public.windows.server.networking)
  • Re: Being a shell provider - good business?
    ... Where you got that idea that Israel kidnap suspects? ... Being a shell provider - good business? ... we have our shell accounts on a separate server ... snag a child porno guy who will setup an irc bot to trade underage ...
    (freebsd-questions)