Centrify in an AD environment to allow users sftp access but nopt allow those users ssh access?

Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Participant II
Posts: 2
Registered: ‎01-11-2019
#1 of 3 491

Centrify in an AD environment to allow users sftp access but nopt allow those users ssh access?

Apart from the root user (or any others spcifically listed) is there  a way in a Centrify/AD environment to allow users sftp access but not allow those users ssh access?

Centrify Advisor I
Posts: 90
Registered: ‎09-23-2015
#2 of 3 464

Re: Centrify in an AD environment to allow users sftp access but nopt allow those users ssh access?

Hello @scott-rathbone,

 

Welcome to the Centrify community!

 

Please see the following test I have:

 

On the Windows / Access manager console side:
1) Create a group where you want to grant member of this group sftp only permission
2) You could grant sftp role at either zone or at the machine level. Grant the predefined "sftp" role to the group just created.
3) Add sftp user as member of new group

On the sftp server side:
1) On server, update /etc/centrifydc/ssh/sshd_config file:
change
#ServiceAuthLocation /usr/share/centrifydc/libexec/dzsshchk
to
ServiceAuthLocation /usr/share/centrifydc/libexec/dzsshchk

And change
Subsystem sftp /usr/share/centrifydc/libexec/sftp-server
#Subsystem sftp internal-sftp
to
#Subsystem sftp /usr/share/centrifydc/libexec/sftp-server
Subsystem sftp internal-sftp
2) restart centrify sshd service

Now test member of the sftp group can only sftp to server but not able to login.

 

Hope it helps. Thank you!

 

BR,

Ivan

Participant II
Posts: 2
Registered: ‎01-11-2019
#3 of 3 447

Re: Centrify in an AD environment to allow users sftp access but nopt allow those users ssh access?

Many thanks. I'll give it a try.