I want to restrict all users on a server to only be able to use SFTP while the members of an admin group should have full SSH access.
I found that it is possible to restrict the members of a group by using Match Group and ForceCommand. But I found no logical negation. So I tried to construct it in reverse:
# SFTP only, full access only for admin group
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match Group admin
X11Forwarding yes
AllowTcpForwarding yes
ForceCommand /usr/local/sbin/ssh-allowcmd.sh
and built a script ssh-allowcmd.sh that executes either the given command or /bin/bash for interactive access.
Is there a better solution?
If you're using OpenSSH 5.1 or later then it supports Match Group negation.
Assuming the defaults are OK for the admin group, then just change everyone else:
There's really no reason to rely on third-party shells to do this kind of job with recent OpenSSH releases.
I use MySecureShell to limit users to SFTP only connections. I do this for specific users, but I am sure you can configure it to limit by default so the exemption would be for you to give shell access as well.
http://mysecureshell.sourceforge.net/
What you want is scponly. IF you're running Debian/Ubuntu it's in the repos. Once installed, you just do the following:
It also allows you to chroot the users.
Alternatively you can do the following:
The first line restricts the user's shell to sftp. The second line is to make sftp-server a valid shell.
As you didn't specify the OS that you are using, I am unable to tailor the commands to your specific needs.
If the users don't need access to the same files, but rather you don't want to set up a second server just for sftp, I would recommend virtualization instead. You can install OpenVZ and setup very light weight VMs to handle this.
If this is accurate to your situation, you will probably find the OpenVZ installation will come in handy for other stuff like this as well over time.