Hi, someone know howto disable the execution of any command via ssh and disable the scp/sftp service?
OK; ssh user@host NO: ssh user@host cat /etc/passwd
NO: scp user@host:/etc/passwd /tmp
NO: sftp user@host
Many thanks!
The last one is easy. Remove the following line from /etc/ssh/sshd_config:
Subsystem sftp /usr/libexec/openssh/sftp-server
The others may just not be possible.
If a user can ssh in, then type 'cat /etc/passwd' at their normal prompt, there is no way to prevent them from just doing 'ssh user@host cat /etc/passwd'.
Since /etc/passwd still usually needs to be world readable, you just aren't going to be able to prevent people from reading it (unless you get into some fancy new SELinux-fu). Note that you should save password hashes in /etc/shadow (which isn't readable by users) in any case.
If you -really- want to do this, you might be able to do it my assigning those users a special shell with a wrapper that exits immediately if the session is not an 'interactive' shell. I haven't tested this, but It should work for at least the first 'NO' case, and possibly for the scp as well.
