The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to disable ssh and keep sftp working

Discussion in 'General Discussion' started by konrath, Jul 3, 2009.

  1. konrath

    konrath Well-Known Member

    May 3, 2005
    Likes Received:
    Trophy Points:

    when I disable the SSH Password Auth Tweak the sftp stop too.

    I want keep sftp working but the ssh stoped. The SSH must working only to Private Key.

    Thank you
  2. manjula.k

    manjula.k Registered

    Apr 16, 2009
    Likes Received:
    Trophy Points:
    I'm not sure whether it will satisfy your exact need.

    SSH Password Auth Tweak is kept as enabled itself .

    I'm setting this for a particular user named "test" . Set the user's shell to:

    /usr/libexec/openssh/sftp-server ( give the correct path for sftp-server , wherever it is on the server)

    You can do this by opening /etc/passwd and change the shell field to

    It may look like


    2) Add /usr/libexec/openssh/sftp-server to /etc/shells

    This will allow sftp and disable shell access to user test

    But I haven't tried the SSH Private Key method .
  3. Spiral

    Spiral BANNED

    Jun 24, 2005
    Likes Received:
    Trophy Points:
    While SFTP does inteface the SSH server, the user logging in to SFTP
    does not have to have shell access. Just don't give SSH access out!

    I don't recommend that you stop the SSH server just because it can cause
    you a great deal of other headaches but moving it to another port, using
    certificates, disabling direct root access, and using only protocol 2 are all
    good steps for protecting it. Beyond that, just don't give anyone shell access.

    Now in regard to SFTP, like I said the user doesn't have to have shell access
    enabled to be able to use it but then at the same time I have to be curious
    as to the underlying reason you are pushing for SFTP only. If you are under
    the impression that FTP is being hacked anywhere recently, you are delutional
    and misinformed. While there is a lot of chatter (and bad assumptions) going
    around the net regarding that lately, the truth is the exploit being used has
    absolutely nothing to do with FTP whatsoever. Recent hackers have been
    capturing packets and keylogging user's own home computers and then
    using the information collected to login to the user's own accounts at
    web hosting companies and banks which is incidentally why they usually
    get in on the first try without any brute force attempts.

    Bad news for those who think SFTP with certs might help, I've already seen
    this exploit used in the wild capturing encryption certificates and connecting
    by other "secure" means using a proxy off the user's own computer and
    certificates ripped from the user's own computer.

    Point in fact, if you are generally trying to increase security -- wouldn't hurt.

    If you are trying to protect from the recent exploit chatter - Then I laugh
    at you wholeheartedly because what you are doing is pointless. That said
    I am investigating solutions myself to try to help these users get protected
    and not get compromised in the first place.

Share This Page