On a linux server running OpenSSH,
How can I disable sftp access (the sftp subsystem) for a specific user/group?
The user should only be able to access a shell but have no sftp access.
Edit:
The purpose is to give users a ssh key which can only be used to execute one specific command (using the command="..." option in authorized_keys). And they shouldn't be allowed to use sftp. Is it already taken care of when using the command="..." option?
If you are using the SFTP SubSystem where it spawns a separate process, you could create a sftp group and only allow execution of the
sftp-serverbinary for that group. It will not be possible to do this with the newer internalized sftp daemon, which is specified withinternal-sftp.If they have shell access, they will still be able to scp. Do you have a particular goal in mind?
Edit
If you want to restrict your user to only executing or utilizing a specific program, I would probably recommend a shell wrapper instead.
command=might work but it seems more likely to be fallible. I would do more testing to be sure.A shell wrapper, such as scponly, will only allow the end-user to scp. I have modified the source of scponly before to only allow CVS execution, for example. This can also be done with a shell script but it is easier to make mistakes if you do not fully understand the scope of what you are trying to do.