![](https://seccdn.libravatar.org/avatar/23c42683ee0e7d0b83df69afabd84007.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear collegues, we recently had the discussion in this list, how to let users use sftp but deny them shell access on the box. The commercial SSH version from ssh.com does this with a special dummy shell, but from OpenSSH's distribution such a dummy shell is missing. Well that's actually a very simple little thing, but some of you might not have the time or eagerness go into programming, hence I am enclosing our version of that beast. Please help me with a caring sledge hammer should there be some holes in the coding. Michael - -- Michael Zimmermann (Vegaa Internet Services) <zim@vegaa.de> phone +49 89 6283 7632 hotline +49 163 823 1195 Key fingerprint = 1E47 7B99 A9D3 698D 7E35 9BB5 EF6B EEDB 696D 5811 - --------------------------------- snip [ vegaa.dummy_shell.c ] ------------ // // vegaa_dummy_shell.c by zim@vegaa.de 2002-03-14 // // This program behaves as a shell for users, // which you want to allow sftp access (e.g for OpenSSH) // but don't want to allow normal shell access. // // Copyright: Feel free to use it as you like it. // Warranty: None .o) // // Compilation: // // gcc vegaa_dummy_shell.c -o vegaa_dummy_shell // // Installation: // // 1.) Put this dummy_shell somewhere, say as /usr/bin/vegaa_dummy_shell. // Make it's owner root:root and it's permissions 0755 (or 0555). // 2.) Specify the dummy_shell as the user's shell in /etc/passwd // 3.) You may want to enter it also in /etc/shells, if these users // should also be allowed normal ftp-access, too. // // Should your sftp-server sit in another location, // change the following line accordingly #define SFTP_COMMAND "/usr/lib/ssh/sftp-server" #include <stdio.h> #include <string.h> #include <unistd.h> #include <sys/syslog.h> #include <sys/sysmacros.h> int main(int argc, char **argv) { int i; if (argc!=3) { syslog(LOG_ERR, "ACCESS DENIED %s: illegal number of arguments=%d", argv[0],argc); for (i=1;i<argc;i++) { syslog(LOG_ERR,"%s argv[%d]: %s",argv[0],i,argv[i]); } goto Denied; } if (strcmp(argv[1],"-c") || strcmp(argv[2],SFTP_COMMAND)) { syslog(LOG_ERR, "ACCESS DENIED %s: illegal arguments: %s %s", argv[0],argv[1],argv[2]); goto Denied; } // Now call the sftp-server return(execl(argv[2],argv[2],NULL)); Denied: printf("##################################################\n"); printf("## You don't have shell access on this machine. ##\n"); printf("## Please contact your administrator, ##\n"); printf("## should you believe that to be an error. ##\n"); printf("##################################################\n"); return(2); } - ------------------------------------ snip ------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8kOUn72vu22ltWBERAq5+AJ9eWV+4uyF6tnEaSmHy0ZV5lfrGGwCdGloP A81KtuLhWJIJwcxL3WyrJbU= =hK/I -----END PGP SIGNATURE-----