First published: 30th September 2007
If you have accounts that are used only for file transfer, it is good practice to limit their access to services, following the principle of least privileges. In the SSH Server configuration, this can be done by denying remote command, terminal and tunneling access for listed users or groups of users (for details, see SSH Tectia Server Administrator Manual, section 7.1.2).
However, sometimes there are many ways to access a system in addition to ssh, and it can be desirable to deny shell access on system level, e.g. by setting the login shell to /bin/false or /sbin/nologin or some other program that is listed in the system list of shells but does not start a shell. Remember that the tunneling restrictions still need to be done in the ssh-server-config.xml. But can the user transfer files, if the shell is set to /bin/false or similar?
The default behavior in the SSH Tectia Server is to run the file transfer server for an SFTP session through the user's shell. Thus, in the above scenario, the file transfer with SFTP will not work. But starting from SSH Tectia Server version 5.3.2, it is possible to configure the SFTP subsystem to be executed directly and not through the user's shell. This can be done using the new exec-directly="yes" argument for the SFTP subsystem:
<subsystem type="sftp" application="sft-server-g3" action="allow" exec-directly="yes"> </subsystem>
This option is available on the Unix and Linux platforms. The downside of executing the SFTP server directly, and not through the shell, is that possible shell initialization files (for non-interactive shells) will not be read. Also, user will not be able to connect to SSH Tectia Server using OpenSSH scp.