# openssh and internal-sftp

## trogie

Hello,

I was configuring an internal-sftp only system this weekend with openssh

Lots of pages on the internet but I only got it working without changing the login shell.

So I have a 'Match Group sftponly' statement in my sshd_config with chrootdirectory setup. I add the users to the sftponly group and change their login to /sbin/nologin or /bin/false but then I only get PAM authentication faillures...

The only way to get it working is keep the login shells of the users on /bin/bash.

Is this normal?

----------

## Hu

No.  You should be able to set their shell to any of the values listed in /etc/shells, not just /bin/bash.  If you want them to be able to sftp, but not log in interactively, use the sshd_config directive ForceCommand instead of changing their login shell.

----------

## trogie

OK off course I can change it to anything in /etc/shells but I can not change it to '/sbin/nologin' or '/bin/false'. I'm using the 'ForceCommand' in my 'Match' section.

----------

## trogie

OK, I had to add '/sbin/nologin' or '/bin/false' to /etc/shells

----------

