>From time to time, people come here to ask: How can i set up an account for SFTP only, forbidding shell access?
One common answer is scponly, http://sublimation.org/scponly/wiki/ This looks quite powerful, in particular if you intend to chroot. I just had to implement SFTP only access myself. Reading the scponly sources, i realized that the task is nearly trivial as long as you only want SFTP, no other protocols, and need no chroot. So i thought i might as well share with the list. In case i overlooked anything serious, chances are i shall be beaten... ;-) Use the following as the shell for the account in question. Note that just setting the shell to /sbin/nologin or /usr/bin/false, which is a common solution for FTP only, does not work for SFTP only because sshd(8) will spawn `$SHELL -c /usr/libexec/sftp-server` when contacted by sftp(1). # Ingo Schwarze 2006. Public domain. #include <unistd.h> /* execl */ #include <string.h> /* strcmp */ #include <errno.h> /* EPERM EINVAL */ #include <err.h> /* errx */ #define SFTPPATH "/usr/libexec/sftp-server" int main(int argc, char **argv) { if (argc == 1) errx(EPERM, "interactive login disabled"); if (argc != 3) errx(EINVAL, "got %i instead of 2 arguments", argc-1); if (strcmp(argv[1], "-c") != 0) errx(EINVAL, "first arg is '%s' instead of '-c'", argv[1]); if (strcmp(argv[2], SFTPPATH) != 0) errx(EINVAL, "second arg is '%s' instead of '%s'", argv[2], SFTPPATH); execl(SFTPPATH, SFTPPATH, NULL); /* NOTREACHED */ }
