How to restrict everyone except a certain group in SSH?

Question

I want to restrict all users on a server to only be able to use SFTP while the members of an admin group should have full SSH access.

I found that it is possible to restrict the members of a group by using Match Group and ForceCommand. But I found no logical negation. So I tried to construct it in reverse:

# SFTP only, full access only for admin group
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Match Group admin
    X11Forwarding yes
    AllowTcpForwarding yes
    ForceCommand /usr/local/sbin/ssh-allowcmd.sh

and built a script ssh-allowcmd.sh that executes either the given command or /bin/bash for interactive access.

Is there a better solution?

Dan Carley · Accepted Answer · 2010-11-06T10:14:04.337

23

If you're using OpenSSH 5.1 or later then it supports Match Group negation.

Assuming the defaults are OK for the admin group, then just change everyone else:

Match Group *,!admin
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

There's really no reason to rely on third-party shells to do this kind of job with recent OpenSSH releases.

edited Nov 06 '10 at 10:14

answered Jul 23 '09 at 21:39

Dan Carley

26,127

score 3 · Answer 2 · answered Jul 23 '09 at 17:01

3

I use MySecureShell to limit users to SFTP only connections. I do this for specific users, but I am sure you can configure it to limit by default so the exemption would be for you to give shell access as well.

http://mysecureshell.sourceforge.net/

answered Jul 23 '09 at 17:01

J.Zimmerman

1,107

score 2 · Answer 3 · answered Jul 23 '09 at 19:33

What you want is scponly. IF you're running Debian/Ubuntu it's in the repos. Once installed, you just do the following:

$ sudo chsh -s /usr/bin/scponly username

It also allows you to chroot the users.

Alternatively you can do the following:

$ usermod -s /usr/lib/sftp-server username
$ echo '/usr/lib/sftp-server' >> /etc/shells

The first line restricts the user's shell to sftp. The second line is to make sftp-server a valid shell.

As you didn't specify the OS that you are using, I am unable to tailor the commands to your specific needs.

score 0 · Answer 4 · answered Jul 23 '09 at 18:29

If the users don't need access to the same files, but rather you don't want to set up a second server just for sftp, I would recommend virtualization instead. You can install OpenVZ and setup very light weight VMs to handle this.

If this is accurate to your situation, you will probably find the OpenVZ installation will come in handy for other stuff like this as well over time.

How to restrict everyone except a certain group in SSH?

4 Answers4

Linked