1

I need to allow a user to connect to a Mac OS X 10.5.7 Leopard box, and restrict them to log in only by SFTP, to a chrooted jail.

I've successfully configured OpenSSH using internal-sftp so the user can use sftp but not get a raw ssh session. To do that I created a user and added them to a group, then used a Match Group entry in sshd_config

However, the user is also showing up on the user selection screen at the console, and can log in interactively there.

I've modified the users UID to be 499, but that trick doesn't work on Leopard any more - and doesn't stop a user from typing the credentials in manually anyway.

Changing the user's shell doesn't seem to help either - it just prevents sftp from working.

Any ideas on how I can lock this user out of an interactive login?

Bill Michell
  • 131
  • 4

1 Answers1

1

For not showing the user on the loginwindow you can use the defaults command:

defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

However this won't stop them from entering their credentials if you use the username/password setting on loginwindow instead of clicking on a username.

Chealion
  • 5,733
  • 28
  • 29
  • Happy to up-vote since the advice works as far as it goes. However, I'm not going to accept it as the answer, since it doesn't actually close the security hole - just masks it a bit. – Bill Michell Jul 28 '09 at 08:11
  • It's security through obscurity! Because as everyone knows that stuff is unbreakable! ;-) – Chealion Jul 28 '09 at 15:48