Can WinSCP be used it a restricted shell?
Yes, WinSCP can be used with a restricted shell given the proper rights. This will allow the user to be able to use WinSCP but not allow the user to execute commands when they ssh to the system.
To allow the use of WinSCP in a restricted shell, follow these steps:
- Set "dzsh.roleswitch.silent" to "true" in centrifydc.conf. This can also be done via Group Policy:
"Add centrifydc.conf properties"
Property Name: dzsh.roleswitch.silent
Property Value: true
2. Create a new Command Right called sftp-server with the command "/usr/share/centrifydc/libexec/sftp-server" (if using Centrify openssh) or check "Subsystem sftp" setting in /etc/ssh/ssh_config, if using stock openssh for the proper path.
3. Create a new role, Restricted WinSCP, and add the following rights:
a. PAM Access Right for "ssh" and "sshd".
b. SSH Right for "dzssh-shell"
c. The newly created Command Right for "sftp-server"
4. This new role should only have the following System Rights:
a. Password login and non-password (SSO) login are allowed
b. Non-password (SSO) login is allowed
c. User is visible
5. Assign the new role to the user or group that requires the use of WinSCP in the restricted shell.
Note: Run adreload or restart adclient to pick up the centrifydc.conf change. If Group Policy is used to please run, adgpupdate to apply the change to the centrifydc.conf immediately and then run adreload or restart adclient.