How to enable LDAP auth for SFTP logins only
If I understand your question correctly, you are looking to provide only sftp
service (that is, no interactive logins via ssh
).
You can force connections to use the sftp
service by adding this to your sshd_config
file:
ForceCommand internal-sftp
This is documented in the sshd_config
man page:
ForceCommand
Forces the execution of the command specified by ForceCommand, ignoring any
command supplied by the client and ~/.ssh/rc if present. The command is
invoked by using the user’s login shell with the -c option. This applies to
shell, command, or subsys- tem execution. It is most useful inside a Match
block. The command originally supplied by the client is available in the
SSH_ORIGINAL_COMMAND environment variable. Specifying a command of
“internal-sftp” will force the use of an in-process sftp server that requires
no support files when used with ChrootDirectory.
You can modify /etc/pam.d/sshd
to configure sshd to use the normal pam_ldap
module rather than the pam
module provided by Centrify.
With these configuration changes in place, sftp
connections will use normal LDAP
authentication, and interactive shells will not be available.
Related videos on Youtube
GregB
Updated on September 18, 2022Comments
-
GregB almost 2 years
I currently use ActiveDirectory for authentication on my Ubuntu 10.04 servers using a tool called Centrify Express. Centrify has a custom .so file that is configured in /etc/pam.d/common-auth.
I'd like to do normal LDAP authentication (bypassing centrify) for just SFTP users (not SSH logins). How would I configure /etc/pam.d/sshd to try LDAP authentication for SFTP logins, but not SSH logins? The idea is that my SFTP OU would allow users to download, and upload files, but they wouldn't be able to get a shell.
-
user2751502 about 12 yearsWhat is it about Centrify that makes plain LDAP a more suitable alternative for
sftp
users? -
GregB about 12 yearsCentrify Express (the free version) doesn't allow us to control the UID, and GID of users/groups. When a user connects, they are given a random UID near the top of the range. This makes managing permissions across servers difficult.
-