jump to navigation

Disable SSH Logins on a Linux Box and Allow SCP/SFTP Logins by Using “scponly” October 12, 2012

Posted by Tournas Dimitrios in Linux.

All Linux admins  are aware of  Secure Shell or SSH ,  a  network protocol that allows data to be exchanged using a secure channel between two networked devices . It was designed as a replacement for Telnet and other insecure remote shell protocols (rsh , rcp … ) , which send information  in plain-text . When these old protocols were used , all a script-kiddie had to do , was to set  his/her network card (NIC) in promiscuous mode , “fire-up” a packet – analyzer and …. Viola … each and every character was displayed on his/her monitor (notably username : passwords) . SSH has different uses , from simple secure-terminal authentication (just username/password or public key authentication) , secure-copy , tunneling of other insecure protocols up to secure remote desktop . My Linux-Index page  has already published articles that describe  all variants of uses for SSH  .

Here is the following scenario : Only an administrator from the local network (LAN) should have SSH-access  to the server . All other users , especially WAN-users ,  should be restricted  to SCP and SFTP logins , but disallowed to SSH logins (e.g. with PuTTY) so that they cannot execute files/programs . Introducing  scponly ……

scponly is an alternate shell that restricts users to SCP and SFTP logins and disallows SSH logins . It is a wrapper to the OpenSSH suite of applications . With the help of scponly,  you can allow your users to use clients such as WinSCP or FileZilla to upload/download files , but you refuse SSH logins . This article shows how to install scponly on a RedHat-based distribution (CentOs) , though the same concepts apply to other distro’s (Debian-based) . scponly is an extremely simple restricted shell , user account that has scponly binary as its shell won’t be able to do anything except transfer data from remote host via scp , sftp  or via rsync/scp . .

An alternative solution to scponly is  rssh , it provides little bit more features: you can limit users to use selected protocols like scp , sftp , rsync , cvs or rdist either in chroot environment or not .

Installation : 

My preferred way of installing packages on CentOs is by using yum , Debian-based distro’s  have a similar package manager — ie aptitude —  . If you prefer the “old-school” way for installing packages then  you should download sources and do some ./configure make and make install . Here are the links: latest rssh .tar.gz  , latest scponly .tgz .

For RedHat :
yum install rssh
yum install scponly

For Debian :
apt-get install rssh
apt-get install scponly

scponly doesn’t need any configuration and works out of the box , the only think that should be done is  set it as the defauld shell for each user-account . Here is an examples .
Create new user account with scponly as the default shell :
useradd -s /usr/sbin/scponly userxyz
Or modify an existing user account to set rssh as a shell :
usermod  -s  /usr/sbin/scponly  userxyz 

The following screen-shots demonstrate the final result . First Putty is used to log-in from a Windows Box into my local CentOs development server . SSH is used to log-in as administrator , an user is created and scponly set as default shell . When attempt is made to ssh-ing into the newly created user (userxyz123) , an message is displayed .

And now , let’s use WinScp (an GUI interface) to login into the newly created account on the CentOs box
Further improvements :
On production servers , not only SSH-restrictions should be applied on user-accounts but also restrictions to the file-system (visibility) . Although directories could be protected with “chmod” , simple users shouldn’t even have visible access into the system’s file-structure . This can be achieved by restricting user-accounts into a “chrooted” environment . But that is an subject for another article , so stay tuned .


1. GJ - October 12, 2012

wow, nice article…keep sharing…

2. lesly - October 12, 2012

wow. this blog is truly a gold mine. i will actually try these tips and let you know how they work out! thanks again mate.

3. Manuele - October 20, 2012

thank you for sharing some knowledge. i really appreciate it.

4. PK - October 20, 2012

Greetings! Very helpful advice in this particular article!
It is the little changes that produce the greatest changes.
Thanks for sharing!

5. Hardening Linux by Disabling SSH Password Authentication (allow only RSA) « Tournas Dimitrios - January 4, 2013

[…] Disable SSH Logins on a Linux Box and Allow SCP/SFTP Logins by Using “scponly” […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s