How to Disable SFTP While Keeping SSH Access for Specific Users in Linux


2 views

Many administrators don't realize that SFTP (SSH File Transfer Protocol) is actually a subsystem of SSH. When you enable SSH access, SFTP capability comes along by default. However, there are legitimate security scenarios where you might want to allow shell access while restricting file transfers.

The most effective method involves modifying the /etc/ssh/sshd_config file to use ForceCommand for specific users. Here's how to implement it:


# Edit the SSH daemon configuration
sudo nano /etc/ssh/sshd_config

# Add these lines at the end of the file
Match User restricteduser1,restricteduser2
    ForceCommand /bin/bash
    ChrootDirectory %h
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

If you need more granular control, you can explicitly disable SFTP while keeping shell access:


Match User sftp_denied_user
    ForceCommand internal-sftp -d %u
    ChrootDirectory /home/%u
    PermitTunnel no
    AllowTcpForwarding no
    X11Forwarding no
    PasswordAuthentication yes

After making changes, always test your configuration before restarting the SSH daemon:


sudo sshd -t
sudo systemctl restart sshd

To verify SFTP is blocked while SSH remains accessible:


# This should fail with "Connection closed" or similar
sftp restricteduser@yourserver

# This should successfully open a shell
ssh restricteduser@yourserver

For managing multiple users, consider using group-based matching instead of specifying individual users:


Match Group nosftp
    ForceCommand /bin/bash
    ChrootDirectory %h
    AllowTcpForwarding no

Then simply add users to the nosftp group:


sudo groupadd nosftp
sudo usermod -a -G nosftp username

Remember that determined users might find workarounds, so consider additional measures:

  • Implement proper filesystem permissions
  • Set up auditing with tools like auditd
  • Consider using restricted shells like rbash
  • Monitor for unusual activity

# Understanding the Challenge
When managing multi-user Linux systems, there are scenarios where you need granular control over protocol access. A common requirement is disabling SFTP (Secure File Transfer Protocol) for certain users while preserving their SSH (Secure Shell) access for command-line operations.

# SSH Configuration Deep Dive
The key to this solution lies in the /etc/ssh/sshd_config file. OpenSSH provides several mechanisms for protocol restriction:


The most straightforward approach involves modifying the SFTP subsystem declaration:



# Original SFTP configuration
#Subsystem sftp /usr/lib/openssh/sftp-server

# Modified configuration for selective access
Subsystem sftp internal-sftp -u 0002

Match Group sftp_denied
    ForceCommand /bin/bash
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no



This configuration:

1. Changes the SFTP subsystem to use the modern internal-sftp implementation

2. Sets strict umask (0002) for file permissions

3. Creates a match block for users in the 'sftp_denied' group

4. Forces a regular shell while disabling file transfer capabilities


For more complex scenarios, you can implement a wrapper script:



#!/bin/bash
# /usr/local/bin/ssh_wrapper.sh

if [[ $SSH_ORIGINAL_COMMAND =~ ^scp|^sftp ]]; then
    echo "SFTP/SCP access disabled for this account" >&2
    exit 1
fi

exec $SHELL -c "$SSH_ORIGINAL_COMMAND"



Then in sshd_config:



Match User restricted_user1,restricted_user2
    ForceCommand /usr/local/bin/ssh_wrapper.sh
    PermitTTY yes



After making changes, always test with:



# Validate config syntax
sudo sshd -t

# Apply changes
sudo systemctl restart sshd

# Test SFTP access
sftp username@yourserver

# Test SSH access
ssh username@yourserver



# Real-world Considerations

1. Always maintain a separate admin SSH connection when testing

2. Consider implementing these changes in a test environment first

3. Document your configuration changes for future reference

4. For enterprise environments, combine this with PAM modules for additional security


# Alternative Approaches

For systems requiring more sophisticated access control:

1. Implement SSH certificate-based authentication with custom principals

2. Use OpenSSH's new RESTRICT key option (v8.8+)

3. Consider containerization or virtualization for complete isolation


Remember that while these methods prevent SFTP access, determined users might still transfer files using other methods like netcat or base64 encoding. Always implement defense in depth.