Can I allow SFTP for ANY , but SSH for some IP address
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I don't think that is possible with just one running instance of the sshd daemon (scp, ssh and sftp are managed by this daemon). I'm sure it is possible if you set up 2 sshd daemons (both listening on a different port).
But what is the underlying problem?
If you do not want to give everybody a shell and remote execution rights ("basic" ssh) but do want to give secure upload/download access to "everyone" you might want to take a look at scponly (provide access to remote users to both read and write local files without providing any remote execution privileges).
/usr/local/etc/sshd_config
Subsystem sftp internal-sftp
Match group sftponly
ChrootDirectory /var/ftp/upload/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
So , the SFTP user is allow for ANY ( if firewall is allow )
But , I hope the Unix Server can let me config as SFTP for ANY , but SSH for some IP .
since TCP wrapper are only for SSHD service deamon as /etc/hosts.allow & /etc/hosts.deny
and can not config as
SFTP: ALL :allow
SSH : x.x.x.x y.y.y.y :allow
Neat - you compiled your own current version of OpenSSH on RHEL.
I haven't tinkered with the newer versions, but sshd_config(5) seems to indicate that the Match directive will support what you want to do.
Can you not do something like..
Code:
...
# Remember to explicitly turn off all
# authentication forms globally. The
# needed forms should be activated in
# the Match blocks to fine tune access
# control.
PasswordAuthentication no
# Here we implicitly allow ssh from a couple
# subnets
Match address 192.168.50.0/24,192.168.51.0/24
PasswordAuthentication yes
# Here we match all addresses for sftp; this
# may be incorrect, and you may need to do some
# magic with a negation PATTERN
Match address *
ChrootDirectory /var/ftp/upload/%u
ForceCommand internal-sftp
PasswordAuthentication yes
...
Now then, this is untested. I don't know if it's even syntactically correct. But the theory seems right to me.
Last edited by anomie; 07-21-2010 at 01:35 PM.
Reason: fixed silly oversight.
by "anomie": Now then, this is untested. I don't know if it's even syntactically correct. But the theory seems right to me.
Well, Match directive works really fine for me, i have the same setup and its working fine. The "ForceCommand SFTP" directive prevents the user from accessing the Shell, and he can only access SFTP.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.