<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Assign forced command ssh keys. All ssh subsystems are standalone executables; you can easily force the an incoming connection to only allow sftp, IMAP, or any other command on the system. Prohibit PTY allocation as well. See the man pages for the authorized_keys files. You can force these either in ~/.ssh or more securely in the sshd global config file. Either way ensure user has no delete or write to the file or they can change it. <br><br>Sent from my iPhone</div><div><br>On May 28, 2015, at 10:09 AM, Beddingfield, Allen <<a href="mailto:allen@ua.edu">allen@ua.edu</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div>For years now, we have been using RSSH to restrict users to sftp-only on our web servers. </div>
<div><a href="http://www.pizzashack.org/rssh">http://www.pizzashack.org/rssh</a>/</div>
<div>Unfortunately, this is pretty much an abandoned project, now. </div>
<div>The way it works is that you just change the user’s shell to rssh, and sftp/scp is the only thing allowed. You can also set a umask in the rssh.conf file in /etc</div>
<div>I’m looking for a way to do this without using RSSH. I see instructions for sftp-only/chroot for OpenSSH,but that seems a little much for what we are wanting to accomplish. My only goal is the prevent shell access – I don’t need the chroot setup.</div>
<div>Any clever ideas?</div>
<div>Thanks.</div>
<div>Allen B.</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div>
<div>--</div>
<div>Allen Beddingfield</div>
<div>Systems Engineer</div>
<div>The University of Alabama</div>
</div>
<div><br>
</div>
</div>
</div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Ale mailing list</span><br><span><a href="mailto:Ale@ale.org">Ale@ale.org</a></span><br><span><a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a></span><br><span>See JOBS, ANNOUNCE and SCHOOLS lists at</span><br><span><a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a></span><br></div></blockquote></body></html>