Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Deny SSH access while allowing SFTP access OS X Server
I was finally able to figure out how to disable SSH access to a user account, but still allow SFTP to occur. Edit /etc/sshd_config, and add this section:
Match User sftponly
        AllowTcpForwarding no
        X11Forwarding no
        ForceCommand /usr/libexec/sftp-server -l INFO 
Replace sftponly with your short user name, then save the file and quit the editor.

[robg adds: You'll probably have to restart Remote Login in the Sharing panel to make these changes take effect, but I'm not sure of that, as I haven't tested this hint. It's categorized as an OS X Server hint, but I have no reason to think it wouldn't work in Client as well.]
    •    
  • Currently 2.56 / 5
  You rated: 3 / 5 (9 votes cast)
 
[14,447 views]  

Deny SSH access while allowing SFTP access | 4 comments | Create New Account
Click here to return to the 'Deny SSH access while allowing SFTP access' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Deny SSH access while allowing SFTP access
Authored by: club60.org on Nov 23, '07 08:05:59AM

There's no need to restart.



[ Reply to This | # ]
Deny SSH access while allowing SFTP access
Authored by: enigmamf on Nov 23, '07 10:29:18AM

I haven't tried it but I agree --- sshd is a daemon that is spawned by launchd whenever an incoming connection is made, and it reads the configuration each time. It would certainly be in line with my other experiences with sshd configuration.

Contrast Apache, where an httpd process stays alive to accept and delegate incoming connections.



[ Reply to This | # ]
Deny SSH access while allowing SFTP access
Authored by: Schwie on Nov 23, '07 09:55:56AM
Does this chroot a user to their own home folder? In Tiger, it was possible by using these instructions:

http://www.macosxhints.com/article.php?story=20051101062213534

[ Reply to This | # ]

Deny SSH access while allowing SFTP access
Authored by: spinkb on Nov 23, '07 08:42:13PM

While not a free method, by far the easiest and most configurable method is to use CrushFTP. That way you can give SFTP access to any folder you feel like without and risk of a user getting out of the folder, or some permissions you for got to set exposing your entire machine. Additionally the user doesn't need to be a real OS X user either, so they only exist in CrushFTP.

Roughly 10 mouse clicks to make the user, give access, and be ready to go.

--DISCLAIMER--
I am the author of CrushFTP, so my opinion is very biased...but still accurate. :)



[ Reply to This | # ]