Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-24908: Can WinSCP be used in a restricted shell

Authentication Service ,  

23 December,19 at 11:31 PM


Can WinSCP be used it a restricted shell?


Yes, WinSCP can be used with a restricted shell given the proper rights. This will allow the user to be able to use WinSCP but not allow the user to execute commands when they ssh to the system.


To allow the use of WinSCP in a restricted shell, follow these steps:

  1. Set "dzsh.roleswitch.silent" to "true" in centrifydc.conf. This can also be done via Group Policy:

 =>Computer Configuration


         =>Centrify Settings

             =>DirectControl Settings

                 "Add centrifydc.conf properties"


                  Property Name: dzsh.roleswitch.silent

                  Property Value: true


2. Create a new Command Right called sftp-server with the command "/usr/share/centrifydc/libexec/sftp-server" (if using Centrify openssh) or check "Subsystem sftp" setting in /etc/ssh/ssh_config, if using stock openssh for the proper path.

3. Create a new role, Restricted WinSCP, and add the following rights:

 a. PAM Access Right for "ssh" and "sshd".

 b. SSH Right for "dzssh-shell"

 c. The newly created Command Right for "sftp-server"


4. This new role should only have the following System Rights:

 a. Password login and non-password (SSO) login are allowed

 b. Non-password (SSO) login is allowed

 c. User is visible

5. Assign the new role to the user or group that requires the use of WinSCP in the restricted shell.

Note: Run adreload or restart adclient to pick up the centrifydc.conf change. If Group Policy is used to please run, adgpupdate to apply the change to the centrifydc.conf immediately and then run adreload or restart adclient.