Deny SSH access while allowing SFTP access

More Mac Sites:
Macworld
MacUser
iPhone Central

Pick of the Week - Nov 10 [Show all picks]
Path Finder 5 - A feature-laden Finder replacement

12,000 hints and counting!

Fri, Nov 23 2007 at 7:30AM PST • Contributed by: Anonymous

I was finally able to figure out how to disable SSH access to a user account, but still allow SFTP to occur. Edit /etc/sshd_config, and add this section:

Match User sftponly
        AllowTcpForwarding no
        X11Forwarding no
        ForceCommand /usr/libexec/sftp-server -l INFO

Replace sftponly with your short user name, then save the file and quit the editor.

[robg adds: You'll probably have to restart Remote Login in the Sharing panel to make these changes take effect, but I'm not sure of that, as I haven't tested this hint. It's categorized as an OS X Server hint, but I have no reason to think it wouldn't work in Client as well.]

•

Currently 0.00 / 5
1
2
3
4
5

(0 votes cast)

[6,833 views]

Hint Options

Deny SSH access while allowing SFTP access | 4 comments | Create New Account

Click here to return to the 'Deny SSH access while allowing SFTP access' hint

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Deny SSH access while allowing SFTP access
Authored by: club60.org on Fri, Nov 23 2007 at 8:05AM PST

There's no need to restart.

Deny SSH access while allowing SFTP access
Authored by: enigmamf on Fri, Nov 23 2007 at 10:29AM PST

I haven't tried it but I agree --- sshd is a daemon that is spawned by launchd whenever an incoming connection is made, and it reads the configuration each time. It would certainly be in line with my other experiences with sshd configuration.

Contrast Apache, where an httpd process stays alive to accept and delegate incoming connections.

Deny SSH access while allowing SFTP access
Authored by: Schwie on Fri, Nov 23 2007 at 9:55AM PST

Does this chroot a user to their own home folder? In Tiger, it was possible by using these instructions:

http://www.macosxhints.com/article.php?story=20051101062213534

[ Reply to This | # ]

Deny SSH access while allowing SFTP access
Authored by: spinkb on Fri, Nov 23 2007 at 8:42PM PST

While not a free method, by far the easiest and most configurable method is to use CrushFTP. That way you can give SFTP access to any folder you feel like without and risk of a user getting out of the folder, or some permissions you for got to set exposing your entire machine. Additionally the user doesn't need to be a real OS X user either, so they only exist in CrushFTP.

Roughly 10 mouse clicks to make the user, give access, and be ready to go.

--DISCLAIMER--
I am the author of CrushFTP, so my opinion is very biased...but still accurate. :)

Search

From our Sponsor...

User Functions

Don't have an account yet? Sign up as a New User
Lost your password?

What's New:

Hints

No new hints

Comments last 2 days

Links last 2 weeks

No recent new links

What's New in the Forums?

The Editor's Corner...

Here are some of my (robg) other projects...

•	The Robservatory My blog - Macs, tech, etc.
•	Mac OS X Power Hound The best of Hints in print
•	Inside iWork An iWork training DVD
•	Macworld Column, features, online...

Hints by Topic

News from Macworld

The macosxhints Poll

What version of OS X are you running as your main OS?

Other polls | 9,255 votes | 40 comments

Visit other IDG sites: