Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Enable sftp access without ssh access Network
Would you like to offer remote users sftp access to a server but deny them the ability to login to it via ssh? The version of OpenSSH supplied with Mac OS X doesn't come with a dummy shell and it's somewhat involved to write your own, but you can get by without one. This suggestion by John Ritchie on the suse-security mailing list was a start:
The way I solved this (on Solaris with Openssh) was to set the sftp-only user's shell to be the sftp-server binary (/usr/local/libexec/sftp-server on my Solaris openssh build). I did not have to add this to /etc/shells.
Then using the information in the "Change user's default shell"hint, you can set up users that can access a server via sftp but not actually login via ssh. Once you have created your users and set up ssh on the server, you should then run the following for each user you want to restrict:
niutil -createprop . /users/joebob shell \
where joebob is replaced by the short name of the user you are modifying and /usr/libexec/sftp-server is the sftp-server binary. At least, that's where it is in 10.1.5. I don't know if they've moved it in 10.2; hopefully not but you can check the location of sftp-server by looking for the "Subsystem sftp" line in the sshd configuration file /etc/sshd_config)

Now these users can get access to the server via sftp but can't log in with ssh.
  • Currently 0.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (0 votes cast)

Enable sftp access without ssh access | 5 comments | Create New Account
Click here to return to the 'Enable sftp access without ssh access' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
What about /dev/null/?
Authored by: serversurfer on Sep 13, '02 08:51:32PM

Couldn\'t you just go in to NetInfo Manager and change their shell to /dev/null/?

Then they should be able to sftp, but not ssh or telnet, right? It seems to me like the above method would just give them an sftp connection whenever they try to use ssh to get in. (Which, I guess, may be what you wanted )

[ Reply to This | # ]
What about /dev/null/?
Authored by: kholburn on Sep 13, '02 09:46:47PM

When you log in using ftp then the system checks that your default shell is in /etc/shells (also that your user name is not in /etc/ftpusers). If your default shell isn't in /etc/shells you are denied access. I would imagine stfp does something similar.


[ Reply to This | # ]
Enable sftp access without ssh access
Authored by: hamarkus on May 26, '03 04:52:50PM

For me applying this command to a newly created user makes it also impossible for this user to use sftp (as well as ftp and ssh). Has something changed with 10.2 (or 10.2.6) to make this tip fail?

[ Reply to This | # ]
Adding to shells doesn't help either
Authored by: hamarkus on May 26, '03 06:59:44PM

Even adding /usr/libexec/sftp-server to /etc/shells does not get it working. Whenever I try to connect via sftp with a user whose default shell has been set to be /usr/libexec/sftp-server (as visible via Netinfo) my password is rejected (Permission denied, please try again.).

Could one place a link/symlink/alias in /bin pointing to /usr/libexec/sftp-server to get work?

[ Reply to This | # ]
Enable sftp access without ssh access
Authored by: Schwie on Jul 17, '04 04:18:48PM

Tried this today in Panther running 10.3.3. It works like a charm! Thank you! NetInfo is the real deal!

[ Reply to This | # ]