How can I disable some commands in SFTP?SFTP logging: is there a way?Where can I find logs for SFTP?Passwordless sftp upload commands not executed using a shell scriptHow to disable sftp for some users, but keep ssh enabled?Allow SFTP but disallow SSH?SSH - cannot start sftp-server when trying to force internal sftpDisable chmod in openssh-serverhow to create sftp accountHow to disable sftp access to user with ssh already disabled (user shell = /bin/false, but connection still works with sftp)How can I disable sftp temporarily without reloading the service?
Mysterious procedure calls without parameters - but no exceptions generated
Beginner looking to learn/master musical theory and instrumental ability. Where should I begin?
Did this character show any indication of wanting to rule before S8E6?
Why A=2 and B=1 in the call signs for Spirit and Opportunity?
Popcorn is the only acceptable snack to consume while watching a movie
Take elements from a list based on two criteria
What is the meaning of "<&3" and "done < file11 3< file22"
What Armor Optimization applies to a Mithral full plate?
The art of clickbait captions
Why didn't Thanos use the Time Stone to stop the Avengers' plan?
Of strange atmospheres - the survivable but unbreathable
What did the 'turbo' button actually do?
Is it truly impossible to tell what a CPU is doing?
Why do Russians almost not use verbs of possession akin to "have"?
Why does this if statement return true
How can I make an argument that my time is valuable?
Best material to absorb as much light as possible
How do I superimpose two math symbols?
Python program to take in two strings and print the larger string
Shorten or merge multiple lines of `&> /dev/null &`
Why are GND pads often only connected by four traces?
Why haven't we yet tried accelerating a space station with people inside to a near light speed?
What was the idiom for something that we take without a doubt?
What is the use case for non-breathable waterproof pants?
How can I disable some commands in SFTP?
SFTP logging: is there a way?Where can I find logs for SFTP?Passwordless sftp upload commands not executed using a shell scriptHow to disable sftp for some users, but keep ssh enabled?Allow SFTP but disallow SSH?SSH - cannot start sftp-server when trying to force internal sftpDisable chmod in openssh-serverhow to create sftp accountHow to disable sftp access to user with ssh already disabled (user shell = /bin/false, but connection still works with sftp)How can I disable sftp temporarily without reloading the service?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
How can I disable some commands in SFTP for my clients, like ln & symlink?
I've checked man sftp, but didn't find what I'm searching for.
sftp
asked Mar 4 '17 at 3:25
user134969user134969
1851313
add a comment |
How can I disable some commands in SFTP for my clients, like ln & symlink?
I've checked man sftp, but didn't find what I'm searching for.
sftp
asked Mar 4 '17 at 3:25
user134969user134969
1851313
This doesn't make much sense. Why do you want to do this?
– Michael Hampton♦
Mar 4 '17 at 3:32
As Michael Hampton said, this doesn't make sense. The only thing I can think to do is disallow access to those commands with Linux ACLs from the users that log onto your server via SFTP and/or, depending if you're running SFTP in a chroot jail, the specific user that is running SFTP.
– cerberus
Mar 4 '17 at 4:15
add a comment |
How can I disable some commands in SFTP for my clients, like ln & symlink?
I've checked man sftp, but didn't find what I'm searching for.
sftp
asked Mar 4 '17 at 3:25
user134969user134969
1851313
How can I disable some commands in SFTP for my clients, like ln & symlink?
I've checked man sftp, but didn't find what I'm searching for.
sftp
sftp
asked Mar 4 '17 at 3:25
user134969user134969
1851313
asked Mar 4 '17 at 3:25
user134969user134969
1851313
asked Mar 4 '17 at 3:25
user134969user134969
1851313
asked Mar 4 '17 at 3:25
user134969user134969
1851313
asked Mar 4 '17 at 3:25
user134969user134969
1851313
1851313
This doesn't make much sense. Why do you want to do this?
– Michael Hampton♦
Mar 4 '17 at 3:32
As Michael Hampton said, this doesn't make sense. The only thing I can think to do is disallow access to those commands with Linux ACLs from the users that log onto your server via SFTP and/or, depending if you're running SFTP in a chroot jail, the specific user that is running SFTP.
– cerberus
Mar 4 '17 at 4:15
add a comment |
This doesn't make much sense. Why do you want to do this?
– Michael Hampton♦
Mar 4 '17 at 3:32
As Michael Hampton said, this doesn't make sense. The only thing I can think to do is disallow access to those commands with Linux ACLs from the users that log onto your server via SFTP and/or, depending if you're running SFTP in a chroot jail, the specific user that is running SFTP.
– cerberus
Mar 4 '17 at 4:15
This doesn't make much sense. Why do you want to do this?
– Michael Hampton♦
Mar 4 '17 at 3:32
This doesn't make much sense. Why do you want to do this?
– Michael Hampton♦
Mar 4 '17 at 3:32
As Michael Hampton said, this doesn't make sense. The only thing I can think to do is disallow access to those commands with Linux ACLs from the users that log onto your server via SFTP and/or, depending if you're running SFTP in a chroot jail, the specific user that is running SFTP.
– cerberus
Mar 4 '17 at 4:15
As Michael Hampton said, this doesn't make sense. The only thing I can think to do is disallow access to those commands with Linux ACLs from the users that log onto your server via SFTP and/or, depending if you're running SFTP in a chroot jail, the specific user that is running SFTP.
– cerberus
Mar 4 '17 at 4:15
add a comment |
2 Answers
2
active
oldest
votes
You did not specify, what SFTP server are you using. I'm assuming the OpenSSH.
The sftp-server (and the compatible internal-sftp) has the -P and -p switches to black/white list certain SFTP requests.
You can use them to disallow the symlink requests:
Subsystem sftp internal-sftp -P symlink
answered Mar 4 '17 at 6:30
Martin PrikrylMartin Prikryl
5,3642660
I've tried this, but it doesn't work.
– user134969
Mar 4 '17 at 21:21
2
What did you try? What does not work? What does it do instead? What version of OpenSSH are you using?
– Martin Prikryl
Mar 5 '17 at 6:44
Doesn't work a specific user as it is not usable in a Match block
– Erdal G.
Aug 24 '17 at 12:44
@ErdalG. You are right. I've removed that part. You can useForceCommandthough (but that would disallow shell access, what you actually want to do anyway probably, if you want to limit what user can do).
– Martin Prikryl
Aug 24 '17 at 12:49
add a comment |
You can only pass args to the sftp command when using ForceCommand, not Subsystem. If you do what the other answer says, the -P arg will be silently ignored!
The correct way:
Subsystem sftp internal-sftp
ForceCommand internal-sftp -P symlink
(you possibly also want to put a Match block around the second line)
edited May 11 at 0:12
womble♦
86.3k18147205
answered May 10 at 23:32
ruforufo
312
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f836212%2fhow-can-i-disable-some-commands-in-sftp%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You did not specify, what SFTP server are you using. I'm assuming the OpenSSH.
The sftp-server (and the compatible internal-sftp) has the -P and -p switches to black/white list certain SFTP requests.
You can use them to disallow the symlink requests:
Subsystem sftp internal-sftp -P symlink
answered Mar 4 '17 at 6:30
Martin PrikrylMartin Prikryl
5,3642660
I've tried this, but it doesn't work.
– user134969
Mar 4 '17 at 21:21
2
What did you try? What does not work? What does it do instead? What version of OpenSSH are you using?
– Martin Prikryl
Mar 5 '17 at 6:44
Doesn't work a specific user as it is not usable in a Match block
– Erdal G.
Aug 24 '17 at 12:44
@ErdalG. You are right. I've removed that part. You can useForceCommandthough (but that would disallow shell access, what you actually want to do anyway probably, if you want to limit what user can do).
– Martin Prikryl
Aug 24 '17 at 12:49
add a comment |
You did not specify, what SFTP server are you using. I'm assuming the OpenSSH.
The sftp-server (and the compatible internal-sftp) has the -P and -p switches to black/white list certain SFTP requests.
You can use them to disallow the symlink requests:
Subsystem sftp internal-sftp -P symlink
answered Mar 4 '17 at 6:30
Martin PrikrylMartin Prikryl
5,3642660
I've tried this, but it doesn't work.
– user134969
Mar 4 '17 at 21:21
2
What did you try? What does not work? What does it do instead? What version of OpenSSH are you using?
– Martin Prikryl
Mar 5 '17 at 6:44
Doesn't work a specific user as it is not usable in a Match block
– Erdal G.
Aug 24 '17 at 12:44
@ErdalG. You are right. I've removed that part. You can useForceCommandthough (but that would disallow shell access, what you actually want to do anyway probably, if you want to limit what user can do).
– Martin Prikryl
Aug 24 '17 at 12:49
add a comment |
You did not specify, what SFTP server are you using. I'm assuming the OpenSSH.
The sftp-server (and the compatible internal-sftp) has the -P and -p switches to black/white list certain SFTP requests.
You can use them to disallow the symlink requests:
Subsystem sftp internal-sftp -P symlink
answered Mar 4 '17 at 6:30
Martin PrikrylMartin Prikryl
5,3642660
You did not specify, what SFTP server are you using. I'm assuming the OpenSSH.
The sftp-server (and the compatible internal-sftp) has the -P and -p switches to black/white list certain SFTP requests.
You can use them to disallow the symlink requests:
Subsystem sftp internal-sftp -P symlink
answered Mar 4 '17 at 6:30
Martin PrikrylMartin Prikryl
5,3642660
edited Sep 12 '17 at 15:52
answered Mar 4 '17 at 6:30
Martin PrikrylMartin Prikryl
5,3642660
answered Mar 4 '17 at 6:30
Martin PrikrylMartin Prikryl
5,3642660
answered Mar 4 '17 at 6:30
Martin PrikrylMartin Prikryl
5,3642660
5,3642660
I've tried this, but it doesn't work.
– user134969
Mar 4 '17 at 21:21
2
What did you try? What does not work? What does it do instead? What version of OpenSSH are you using?
– Martin Prikryl
Mar 5 '17 at 6:44
Doesn't work a specific user as it is not usable in a Match block
– Erdal G.
Aug 24 '17 at 12:44
@ErdalG. You are right. I've removed that part. You can useForceCommandthough (but that would disallow shell access, what you actually want to do anyway probably, if you want to limit what user can do).
– Martin Prikryl
Aug 24 '17 at 12:49
add a comment |
I've tried this, but it doesn't work.
– user134969
Mar 4 '17 at 21:21
2
What did you try? What does not work? What does it do instead? What version of OpenSSH are you using?
– Martin Prikryl
Mar 5 '17 at 6:44
Doesn't work a specific user as it is not usable in a Match block
– Erdal G.
Aug 24 '17 at 12:44
@ErdalG. You are right. I've removed that part. You can useForceCommandthough (but that would disallow shell access, what you actually want to do anyway probably, if you want to limit what user can do).
– Martin Prikryl
Aug 24 '17 at 12:49
I've tried this, but it doesn't work.
– user134969
Mar 4 '17 at 21:21
I've tried this, but it doesn't work.
– user134969
Mar 4 '17 at 21:21
2
2
What did you try? What does not work? What does it do instead? What version of OpenSSH are you using?
– Martin Prikryl
Mar 5 '17 at 6:44
What did you try? What does not work? What does it do instead? What version of OpenSSH are you using?
– Martin Prikryl
Mar 5 '17 at 6:44
Doesn't work a specific user as it is not usable in a Match block
– Erdal G.
Aug 24 '17 at 12:44
Doesn't work a specific user as it is not usable in a Match block
– Erdal G.
Aug 24 '17 at 12:44
@ErdalG. You are right. I've removed that part. You can use
ForceCommand though (but that would disallow shell access, what you actually want to do anyway probably, if you want to limit what user can do).– Martin Prikryl
Aug 24 '17 at 12:49
@ErdalG. You are right. I've removed that part. You can use
ForceCommand though (but that would disallow shell access, what you actually want to do anyway probably, if you want to limit what user can do).– Martin Prikryl
Aug 24 '17 at 12:49
add a comment |
You can only pass args to the sftp command when using ForceCommand, not Subsystem. If you do what the other answer says, the -P arg will be silently ignored!
The correct way:
Subsystem sftp internal-sftp
ForceCommand internal-sftp -P symlink
(you possibly also want to put a Match block around the second line)
edited May 11 at 0:12
womble♦
86.3k18147205
answered May 10 at 23:32
ruforufo
312
add a comment |
You can only pass args to the sftp command when using ForceCommand, not Subsystem. If you do what the other answer says, the -P arg will be silently ignored!
The correct way:
Subsystem sftp internal-sftp
ForceCommand internal-sftp -P symlink
(you possibly also want to put a Match block around the second line)
edited May 11 at 0:12
womble♦
86.3k18147205
answered May 10 at 23:32
ruforufo
312
add a comment |
You can only pass args to the sftp command when using ForceCommand, not Subsystem. If you do what the other answer says, the -P arg will be silently ignored!
The correct way:
Subsystem sftp internal-sftp
ForceCommand internal-sftp -P symlink
(you possibly also want to put a Match block around the second line)
edited May 11 at 0:12
womble♦
86.3k18147205
answered May 10 at 23:32
ruforufo
312
You can only pass args to the sftp command when using ForceCommand, not Subsystem. If you do what the other answer says, the -P arg will be silently ignored!
The correct way:
Subsystem sftp internal-sftp
ForceCommand internal-sftp -P symlink
(you possibly also want to put a Match block around the second line)
edited May 11 at 0:12
womble♦
86.3k18147205
answered May 10 at 23:32
ruforufo
312
edited May 11 at 0:12
womble♦
86.3k18147205
edited May 11 at 0:12
womble♦
86.3k18147205
edited May 11 at 0:12
womble♦
86.3k18147205
86.3k18147205
answered May 10 at 23:32
ruforufo
312
answered May 10 at 23:32
ruforufo
312
answered May 10 at 23:32
ruforufo
312
312
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f836212%2fhow-can-i-disable-some-commands-in-sftp%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
This doesn't make much sense. Why do you want to do this?
– Michael Hampton♦
Mar 4 '17 at 3:32
As Michael Hampton said, this doesn't make sense. The only thing I can think to do is disallow access to those commands with Linux ACLs from the users that log onto your server via SFTP and/or, depending if you're running SFTP in a chroot jail, the specific user that is running SFTP.
– cerberus
Mar 4 '17 at 4:15