Allow SFTP but not SSH

I haven't tested this on Sol 10 but you can do what you want if you are using authorized_keys for access.

In the authorized_keys file you need to prepend (if you are using DSA keys) or append (If you are using RSA keys) the appropriate key with:

command="/usr/bin/scp -t ."

You might need to tweak that for where scp is located in your environment but that should work.

bosconeta at 2007-7-12 8:40:11 >

you can create a wrapper:

create /bin/sftp.sh (same perm as /bin/sh)

edit and add the following:

-

SSH_ORIGINAL_COMMAND=$2

/usr/bin/logger -p user.notice "SFTP: $SSH_CONNECTION $SSH_ORIGINAL_COMMAND"

if echo $SSH_ORIGINAL_COMMAND|egrep -e "^sftp " > /dev/null 2>&1; then

$SSH_ORIGINAL_COMMAND

elif echo $SSH_ORIGINAL_COMMAND|egrep -e "^scp " > /dev/null 2>&1; then

$SSH_ORIGINAL_COMMAND

else

/usr/bin/logger -p auth.crit "sftp-wrapper Denied $SSH_CONNECTION $SSH_ORIGINAL_COMMAND"

echo "Access denied! No logons allowed! IP logged."

fi

this will allow scp and sftp as an example.

to test create an test user and change the shell for the user to /bin/sftp

now try and su - test user

you should get: "Access denied! No logons allowed! IP logged."

you might have to do a eval "$SSH_ORIGINAL_COMMAND" if you have dirs with spaces etc. that the affected users need to upload files to.

hope this helps.

Cheers

HvRa at 2007-7-12 8:40:11 >