Prevent ssh shell access for sftp user

In Linux it is not easily apparent as to how to prevent someone from having ssh shell access into a machine you intend to give them SFTP access to. This is because both of these services utilize port 22 and SSL encryption. The default shell for a user is /bin/bash, which is set at user account creation time as the default.

This will need to be modified to ensure that a user only has SFTP access. The command should look something like this

usermod -s /usr/libexec/openssh/sftp-server someuser

This will set the shell of “someuser” to the sftp-server that comes with open ssh. This way, when a user logs in, they are provided secure access to files and not a whole shell.

If you have trouble finding where this sftp-server may be on your server you can us the locate command

locate sftp-server

Be the first to comment

Leave a Reply