How to enable LDAP auth for SFTP logins only

ldap sftp pam
8,645

If I understand your question correctly, you are looking to provide only sftp service (that is, no interactive logins via ssh).

You can force connections to use the sftp service by adding this to your sshd_config file:

ForceCommand internal-sftp

This is documented in the sshd_config man page:

ForceCommand
  Forces the execution of the command specified by ForceCommand, ignoring any
  command supplied by the client and ~/.ssh/rc if present.  The command is
  invoked by using the user’s login shell with the -c option.  This applies to
  shell, command, or subsys- tem execution.  It is most useful inside a Match
  block.  The command originally supplied by the client is available in the
  SSH_ORIGINAL_COMMAND environment variable.  Specifying a command of
  “internal-sftp” will force the use of an in-process sftp server that requires
  no support files when used with ChrootDirectory.

You can modify /etc/pam.d/sshd to configure sshd to use the normal pam_ldap module rather than the pam module provided by Centrify.

With these configuration changes in place, sftp connections will use normal LDAP authentication, and interactive shells will not be available.

Share:
8,645

Related videos on Youtube

GregB
Author by

GregB

Updated on September 18, 2022

Comments

  • GregB
    GregB almost 2 years

    I currently use ActiveDirectory for authentication on my Ubuntu 10.04 servers using a tool called Centrify Express. Centrify has a custom .so file that is configured in /etc/pam.d/common-auth.

    I'd like to do normal LDAP authentication (bypassing centrify) for just SFTP users (not SSH logins). How would I configure /etc/pam.d/sshd to try LDAP authentication for SFTP logins, but not SSH logins? The idea is that my SFTP OU would allow users to download, and upload files, but they wouldn't be able to get a shell.

    • user2751502
      user2751502 about 12 years
      What is it about Centrify that makes plain LDAP a more suitable alternative for sftp users?
    • GregB
      GregB about 12 years
      Centrify Express (the free version) doesn't allow us to control the UID, and GID of users/groups. When a user connects, they are given a random UID near the top of the range. This makes managing permissions across servers difficult.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to setup virtual users for sftp (sshd) with access to a specific sub directory?
Where are passwords stored?
LDAP/Pam: No passwd entry for user while getent passwd shows all LDAP users
Restrict ssh login from LDAP to users who have a /home directory
While trying to ssh, pam_ldap always sends the password "INCORRECT" causing bind to fail
pam_sss access denied with kerberos authentication ok
Public key authentication for LDAP users using local authorized_keys
Cyrus on CentOS with sasl / pam / ldap
How can I log on my linux machine with my Active Directory credentials?
LdapErr: DSID-0C0903AA, data 52e: authenticating against AD '08 with pam_ldap