Allow SFTP but disallow SSH?

Starting with version 4.9 OpenSSH (not available in centos 5.x but ChrootDirectory feature was backported) has an internal-sftp subsystem:

Subsystem sftp internal-sftp

And then block other uses:

Match group sftponly
     ChrootDirectory /upload/%u
     X11Forwarding no
     AllowTcpForwarding no
     AllowAgentForwarding no
     ForceCommand internal-sftp

Add your users to the sftponly group. The chroot directory must be owned by root, and cannot be group-writeable, so create a subdirectory for each user, e.g. uploads or home/$username that’s owned by the appropriate user (if you match their home directory, it will be the default working directory when connecting). I’d also set /bin/false as the user’s shell.

As an example, users can then upload single files with:

sftp username@hostname <<< 'put filename.ext uploads/'

(scp will hopefully soon be modified to use sftp so this will become easier)

Related Posts:

  1. No space left on device
  2. CentOS error – sudo: effective uid is not 0, is sudo installed setuid root?
  3. How to recursively download a folder via FTP on Linux
  4. httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName
  5. When does `cron.daily` run?
  6. How can I verify if TLS 1.2 is supported on a remote web server from the RHEL/CentOS shell?
  7. Mount CIFS Host is down
  8. how do you create an ssh key for another user?
  9. “POSSIBLE BREAK-IN ATTEMPT!” in /var/log/secure — what does this mean?
  10. How bad is it really to install Linux on one big partition?
  11. Show all users and their groups/vice versa
  12. How should an IT department choose a standard Linux distribution?
  13. Chmod 777 to a folder and all contents [duplicate]
  14. Cannot connect to the Docker daemon at unix:/var/run/docker.sock. Is the docker daemon running?
  15. Amazon Linux: apt-get: command not found
  16. How do I find all files containing specific text on Linux?
  17. “Couldn’t find a file descriptor referring to the console” on Ubuntu bash on Windows
  18. Where can I find php.ini?
  19. gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error is not recoverable: exiting now
  20. Linux: ‘Username’ is not in the sudoers file. This incident will be reported
  21. “E: Unable to locate package python-pip” on Ubuntu 18.04 [duplicate]
  22. How can I exclude directories from grep -R?
  23. How to exclude a directory in find . command
  24. mysql_config not found when installing mysqldb python interface
  25. Linux error while loading shared libraries: cannot open shared object file: No such file or directory
  26. Shell command to tar directory excluding certain files/folders
  27. QEMU: /bin/sh: can’t access tty; job control turned off
  28. Explaining the ‘find -mtime’ command
  29. Creating a new directory in C
  30. Extract file basename without path and extension in bash
  31. How to change permissions for a folder and its subfolders/files in one step
  32. mv: cannot stat error : No such file or directory error
  33. mysql_config not found when installing mysqldb python interface
  34. Linux error while loading shared libraries: cannot open shared object file: No such file or directory
  35. Pseudo-terminal will not be allocated because stdin is not a terminal
  36. screen Cannot open your terminal ‘/dev/pts/0’ – please check
  37. ./configure : /bin/sh^M : bad interpreter
  38. TCP congestion control version: HTCP module vs highspeed module in linux kernel
  39. How to use regex with find command?
  40. What is the difference between /etc/rc.local and ~/.bashrc?
  41. Snort Message – WARNING: No preprocessors configured for policy 0
  42. Compile the Fortran program in Windows using gfortran
  43. How can I set the ‘backend’ in matplotlib in Python?
  44. Yum fails with – There are no enabled repos.
  45. Getting stty: standard input: Inappropriate ioctl for device when using scp through an ssh tunnel
  46. configure: error: cannot run C compiled programs
  47. What does set -e mean in a bash script?
  48. How to make rpm auto install dependencies
  49. How do I install chkconfig on Ubuntu?
  50. “find: paths must precede expression:” How do I specify a recursive search that also finds files in the current directory?
  51. Apache server keeps crashing, “caught SIGTERM, shutting down”
  52. List all mounts in Linux
  53. How to use sed to extract substring
  54. Wait for user input in C?
  55. tar: Error is not recoverable: exiting now
  56. cd into directory without having permission
  57. python-dev installation error: ImportError: No module named apt_pkg
  58. How to enable Bash in Windows 10 developer preview?
  59. WordPress sites being filled with random PHP files
  60. how to properly mount external server directory for wordpress uploads
  61. Is it a good idea to edit WordPress within Eclipse? [closed]
  62. How can I sort du -h output by size
  63. What exactly do the colors in htop status bars mean?
  64. How to run a server on port 80 as a normal user on Linux?
  65. Showing total progress in rsync: is it possible?
  66. How to bind MySQL server to more than one IP address?
  67. Moving an already-running process to Screen
  68. What’s the best way of handling permissions for Apache 2’s user www-data in /var/www?
  69. Permission denied (publickey). SSH from local Ubuntu to Amazon EC2 server
  70. How to setup passwordless `sudo` on Linux?
  71. LVM dangers and caveats
  72. How to know from which yum repository a package has been installed?
  73. How do I verify the speed of my NIC?
  74. tar – Remove leading directory components on extraction
  75. Job scheduling using crontab, what will happen when computer is shutdown during that time?
  76. How to list Apache enabled modules?
  77. How can I monitor hard disk load on Linux?
  78. How to display certain lines from a text file in Linux?
  79. What’s the reverse DNS command line utility?
  80. Can you have more than one ~/.ssh/config file?
  81. How to add a security group to a running EC2 Instance?
  82. How do I extract login history?
  83. How to force nginx to resolve DNS (of a dynamic hostname) everytime when doing proxy_pass?
  84. GPG does not have enough entropy
  85. SSH from A through B to C, using private key on B [closed]
  86. Is it possible to reboot a Linux OS without rebooting the hardware?
  87. Why don’t EC2 ubuntu images have swap?
  88. SSHFS mount that survives disconnect
  89. Temporarily ignore my `~/.ssh/known_hosts` file?
  90. Does the “bs” option in “dd” really improve the speed?
  91. How to get TX/RX bytes without ifconfig?
  92. What solutions exist to allow the use of revision control for server configuration files? [closed]
  93. Curl: disable certificate verification
  94. Is there a way to do a remote “ls” much like “scp” does a remote copy?
  95. How to apply a filter to real time output of `tail -f `?
  96. Practical maximum open file descriptors (ulimit -n) for a high volume system
  97. Dump a linux process’s memory to file
  98. How to handle relative urls correctly with a reverse proxy
  99. What is the difference between /sbin/nologin and /bin/false?
  100. Where’s the conventional place to store git repositories in a linux file system tree?

Leave a Comment