Restrict commands available in an SFTP session

Salvador Fandino sfandino at yahoo.com
Wed Feb 11 04:11:50 EST 2009


Jason Dickerson wrote:
> I am currently running OpenSSH 4.3.  I would like to restrict the commands
> SFTP users can run to a list.  For example, "put, get, mput, mget, mkdir,
> rmdir, and rm".  Is this possible with OpenSSH?  I have seen many posts
> concerning chroot'ing and the Forced Command option, but none of these
> solution address restricting the commands actually available inside the SFTP
> subsystem.  Any insight would be greatly appreciated.
> 
> Thanks,
> 
> Jason Dickerson

The sftp-server application source code is quite simple.

It will require a minimal C knowledge to replace the unwanted command 
handlers with versions that return SSH_FXP_STATUS messages with a 
SSH_FX_FAILURE code.

Modify the source, compile it and install the new application on your 
server (as /usr/lib/my-sftp-server, for instance) and change the sshd 
sftp sub-system configuration to use it for all or some users.

Cheers,

  - Salva



More information about the openssh-unix-dev mailing list