how to disable ssh and keep sftp working

[konrath]

Hello

when I disable the SSH Password Auth Tweak the sftp stop too.

I want keep sftp working but the ssh stoped. The SSH must working only to Private Key.

Thank you
Konrath

[manjula.k]

I'm not sure whether it will satisfy your exact need.

SSH Password Auth Tweak is kept as enabled itself .

I'm setting this for a particular user named "test" . Set the user's shell to:

/usr/libexec/openssh/sftp-server ( give the correct path for sftp-server , wherever it is on the server)

You can do this by opening /etc/passwd and change the shell field to
/usr/libexec/openssh/sftp-server

It may look like

test:x:528:528::/home/test:/usr/libexec/openssh/sftp-server

2) Add /usr/libexec/openssh/sftp-server to /etc/shells

This will allow sftp and disable shell access to user test

But I haven't tried the SSH Private Key method .

[Spiral]

While SFTP does inteface the SSH server, the user logging in to SFTP
does not have to have shell access. Just don't give SSH access out!

I don't recommend that you stop the SSH server just because it can cause
you a great deal of other headaches but moving it to another port, using
certificates, disabling direct root access, and using only protocol 2 are all
good steps for protecting it. Beyond that, just don't give anyone shell access.

Now in regard to SFTP, like I said the user doesn't have to have shell access
enabled to be able to use it but then at the same time I have to be curious
as to the underlying reason you are pushing for SFTP only. If you are under
the impression that FTP is being hacked anywhere recently, you are delutional
and misinformed. While there is a lot of chatter (and bad assumptions) going
around the net regarding that lately, the truth is the exploit being used has
absolutely nothing to do with FTP whatsoever. Recent hackers have been
capturing packets and keylogging user's own home computers and then
using the information collected to login to the user's own accounts at
web hosting companies and banks which is incidentally why they usually
get in on the first try without any brute force attempts.

Bad news for those who think SFTP with certs might help, I've already seen
this exploit used in the wild capturing encryption certificates and connecting
by other "secure" means using a proxy off the user's own computer and
certificates ripped from the user's own computer.

Point in fact, if you are generally trying to increase security -- wouldn't hurt.

If you are trying to protect from the recent exploit chatter - Then I laugh
at you wholeheartedly because what you are doing is pointless. That said
I am investigating solutions myself to try to help these users get protected
and not get compromised in the first place.