Howto deny a sftp connection - SSH

This is a discussion on Howto deny a sftp connection - SSH ; Hey guys, how can I deny a login via scp, sftp or a winscp connetion? I only know, that this is a non-interactive connection. What are the parameters for the sshd.conf? Its a debian linux server. Thanks Tom...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Howto deny a sftp connection

  1. Howto deny a sftp connection

    Hey guys,
    how can I deny a login via scp, sftp or a winscp connetion? I only know,
    that this is a non-interactive connection. What are the parameters for
    the sshd.conf?

    Its a debian linux server.

    Thanks
    Tom

  2. Re: Howto deny a sftp connection

    >>>>> "HK" == Hermann writes:

    HK> Hey guys, how can I deny a login via scp, sftp or a winscp
    HK> connetion? I only know, that this is a non-interactive
    HK> connection. What are the parameters for the sshd.conf?

    You can turn off the usual sftp by removing the sftp subsystem from
    sshd_config. However, there is no easy general way to prevent scp, since
    it is simply a remote command (and in fact, one can get sftp to work the
    same way).

    --
    Richard Silverman
    res@qoxp.net


  3. Re: Howto deny a sftp connection

    On 2005-12-20, Richard E. Silverman wrote:
    >>>>>> "HK" == Hermann writes:

    >
    > HK> Hey guys, how can I deny a login via scp, sftp or a winscp
    > HK> connetion? I only know, that this is a non-interactive
    > HK> connection. What are the parameters for the sshd.conf?
    >
    > You can turn off the usual sftp by removing the sftp subsystem from
    > sshd_config. However, there is no easy general way to prevent scp, since
    > it is simply a remote command (and in fact, one can get sftp to work the
    > same way).


    You could remove execute permissions from the sftp-server and scp binaries
    (or make them group-execute only for a certain group) but that still
    won't stop people transferring files via other means (eg "ssh server
    cat /foo/bar >bar").

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  4. Re: Howto deny a sftp connection


    "Hermann" wrote in message
    news:do95k7$2ob$1@newsserver.rrzn.uni-hannover.de...
    > Hey guys,
    > how can I deny a login via scp, sftp or a winscp connetion? I only know,
    > that this is a non-interactive connection. What are the parameters for
    > the sshd.conf?
    >
    > Its a debian linux server.


    Why do you want this? What are you trying to achieve?



  5. Re: Howto deny a sftp connection

    Hi,
    this is exactly the topic I have questions about.
    For me I want to archieve, that users can connect to the server by ssh
    but that they cannot transfer files from that server. Thats why I want
    to stop and deny all sftp and scp connections.

    Okay, the sftp subsystem is easily to stop by editing the sshd_config.
    But, how can I stop the scp funktion of ssh? Is it possible and how,
    that you can set permissions in pam.d ?
    i.e. for ssh:
    /etc/pam.d/ssh:
    auth required pam_listfile.so sense=allow onerr=fail item=user
    file=/etc/loginusers

    Is it somehow possible to control the scp function by pam.d? note: I
    don't want to deny ssh.

    Thanks a lot
    Tom





    Nico Kadel-Garcia schrieb:
    > "Hermann" wrote in message
    > news:do95k7$2ob$1@newsserver.rrzn.uni-hannover.de...
    >
    >>Hey guys,
    >>how can I deny a login via scp, sftp or a winscp connetion? I only know,
    >>that this is a non-interactive connection. What are the parameters for
    >>the sshd.conf?
    >>
    >>Its a debian linux server.

    >
    >
    > Why do you want this? What are you trying to achieve?
    >
    >



  6. Re: Howto deny a sftp connection

    On 2006-01-19, Tom wrote:
    > this is exactly the topic I have questions about.
    > For me I want to archieve, that users can connect to the server by ssh
    > but that they cannot transfer files from that server.


    If you're allowing shell access then it's basically impossible to stop
    a determined user transferring files, see below.

    > Thats why I want to stop and deny all sftp and scp connections.
    >
    > Okay, the sftp subsystem is easily to stop by editing the sshd_config.


    Unless you remove permissions from sftp-server too, users can still run
    sftp over a shell channel as Richard mentioned.

    > Is it somehow possible to control the scp function by pam.d? note: I
    > don't want to deny ssh.


    No, neither scp nor sftp check PAM.

    You can block naive users by setting the permissions on the scp binary
    (eg make it mode 750 with a group "scpusers", then put anyone allowed to
    run it in that group) but that won't stop someone copying an scp binary
    into, eg, $HOME/bin and using that.

    Even if you managed to block scp and sftp perfectly, since you're allowing
    shell access, files can be transferred trivially using shell output
    redirects (ie ssh yourserver "cat file" >file or a gazillion variations
    thereof).

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread