Enable sftp access without ssh access

Sep 13, '02 08:56:47AM

Contributed by: andyb

Would you like to offer remote users sftp access to a server but deny them the ability to login to it via ssh? The version of OpenSSH supplied with Mac OS X doesn't come with a dummy shell and it's somewhat involved to write your own, but you can get by without one. This suggestion by John Ritchie on the suse-security mailing list was a start:

The way I solved this (on Solaris with Openssh) was to set the sftp-only user's shell to be the sftp-server binary (/usr/local/libexec/sftp-server on my Solaris openssh build). I did not have to add this to /etc/shells.
Then using the information in the "Change user's default shell"hint, you can set up users that can access a server via sftp but not actually login via ssh. Once you have created your users and set up ssh on the server, you should then run the following for each user you want to restrict:
niutil -createprop . /users/joebob shell \
/usr/libexec/sftp-server
where joebob is replaced by the short name of the user you are modifying and /usr/libexec/sftp-server is the sftp-server binary. At least, that's where it is in 10.1.5. I don't know if they've moved it in 10.2; hopefully not but you can check the location of sftp-server by looking for the "Subsystem sftp" line in the sshd configuration file /etc/sshd_config)

Now these users can get access to the server via sftp but can't log in with ssh.

Comments (5)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20020913055647558