Thursday, February 3, 2011

Set up sftp to use password but ssh not to use password

Is it possible to set up a user on ubuntu with openssh so that ssh does not use password authentication but sftp does?

I assume that if I change /etc/ssh/ssh_config to have PasswordAuthentication yes this makes is possible for users to use passwords to login with both ssh and sftp.

Edit: My purpose here is to let some users sftp with a password instead of a keyfile. But I do not want ssh users to be able to login with a password, I want them to have to use a keyfile. If it helps, I do not need the sftp users to be able to login, they only need to do sftp.

From serverfault dar

  • No, and I don't see how this would improve security, so what would be the point?

    authorized_keys can allow different commands for different keys, if that's what you're after. Otherwise, you have the option of creating several accounts and using acls or sudo.

    dar : I'm not trying to improve security. I'm trying to make it easier for some users to use a password instead of a keyfile for sftp access. However, I do not want anyone to use a password for ssh access.
    Tobu : @dar OK; different accounts then. If they were the same account, someone knowing the sftp password could overwrite some profile file (.ssh/rc, .profile, .bashrc…) and get the same privileges as someone knowing the private key.
    From Tobu

  • Taking a stab in the dark here, but you may find this thread interesting.

    http://serverfault.com/questions/41212/it-is-fair-to-jail-my-sftp-users-to-their-home-directory

    dar : I don't see anything in there about PasswordAuthentication, correct me if I'm wrong.
    Tyler K : No, you're correct. It wasn't clear what you wanted to do with SFTP vs SSH. I see from the other comment that you want users to use a password for SFTP but not for SSH. Why?
    dar : Because these users that need to use sftp find keyfiles challenging, but they understand how to type in passwords. It boils down to a user experience issue for sftp. But I want to minimize the attack surface area by keeping passwords out of the ssh mix.
    Tyler K : SFTP works by first opening a ssh tunnel, then transmitting files via FTP. You can't really divorce the two. I guess you could by setting up some ACLs, but that doesn't really make sense.
    From Tyler K

  • You cannot. In OpenSSH, SFTP does not exist as a separate service, but only as a function of SSH. As such, they use exactly the same communication channel and the same options and features.

    From Ignacio Vazquez-Abrams

  • As I understand you have (at least for this particular problem) two distinct groups of users, one being able to login via SSH and get an interactive shell (let's call the group ssh) and one being able to login via SFTP and only get an SFTP shell (let's call the group sftp).

    Now create the groups ssh and sftp on your system with groupadd, put the respective users in the groups (gpasswd -a $USERNAME $GROUPNAME) and append the following lines at the end (this is important!) of your sshd_config:

    Match Group sftp
  PasswordAuthentication yes
  # Further directives for users in the "sftp" group

Match Group ssh
  PasswordAuthentication no
  # Further directives for users in the "ssh" group

    Read about the Match directive in sshd_config(5) and about the allowed patterns in ssh_config(5).

    Tobu : This isn't well documented, but only one Match directive will be used; you should put the most specific directive on top. If you list sftp first, a user who is in both groups will be allowed PasswordAuthentication.
    dar : Thanks! There's already a `ssh` group on my ubuntu boxes, so I really only need to add `sftp` and put the sftp users into that group. I'll combine your answer with using `scponly` to keep the sftp users from logging in.
    From joschi
Posted by Ku XI at 8:44 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)