-1

Is it possible to restrict access for a particular local user in Linux, with below mentioned conditions:

  1. User should have no direct shell access
  2. User should be able to login with command "su -" from any other user shell
  3. User should be able to do SFTP via winscp client and copy files from local machine to user's home directory
Arun Krishnan
  • 379
  • 2
  • 3
  • 13
  • not possible, try to set up FTP instead – Orphans Dec 21 '16 at 06:50
  • I have tried disabling shell access, but that disables FTP access via Winscp as well. My ultimate aim is that user should be able to upload files via winscp and also switch user to DB user like "oracle", but no direct shell access should be available. – Arun Krishnan Dec 21 '16 at 07:16

1 Answers1

2

When you say no direct shell access, I assume that restriction is only meant to apply in regards to ssh logins?

If so, the easiest solution is to enforce SFTP-only in your /etc/ssh/sshd_config.

Match User oracle
      ForceCommand internal-sftp
andol
  • 6,938
  • 29
  • 43
  • Adding above rule will restrict Winscp access. – Arun Krishnan Dec 21 '16 at 08:45
  • @ArunKrishnan Are you sure that you are using WinSCP in SFTP mode and not in SCP mode? – andol Dec 21 '16 at 08:46
  • Adding above rule will restrict Winscp access. The issue is, DB team need Winscp access to upload files from their local machine. For DB management, they need oracle DB user access with "su -". But because security issues, we can't enable direct ssh access. Any solution which can fulfill all the above 3? – Arun Krishnan Dec 21 '16 at 08:47
  • Yes, I used Winscp in FTP, SFTP and SCP modes. But no luck – Arun Krishnan Dec 21 '16 at 12:36