[wplug] sftp only account
Arnaud
lists at arnaudloos.com
Thu Jun 30 15:57:22 EDT 2011
*I would like to setup an account on my system that allows read only SFTP
access to a user and allows them access to only a single folder
(/home/username).
I found directions on how to do so (
http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html),
summarized below.
*Step 1: If it doesn't exist yet, create a group for the users you want to
have sftp access only:
mark at neuskeutel:~$ sudo groupadd sftponly
Step 2: Add user "peter" to this group:
mark at neuskeutel:~$ sudo adduser peter sftponly
Step 3: Install openssh-server if it's not installed yet.
mark at neuskeutel:~$ sudo apt-get install openssh-server
Step 4: Open the default OpenSSH server configuration for editing:
mark at neuskeutel:~$ sudo nano /etc/ssh/sshd_config
Step 5: Change the default sftp server from:
Subsystem sftp /usr/lib/openssh/sftp-server
to
Subsystem sftp internal-sftp
Step 6: Some users can only use sftp, but not other OpenSSH features like
remote login. Let's create a rule for that group of users (we'll create the
group afterwards). Add the following section to the bottom of
/etc/ssh/sshd_config:
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Step 7: Pass ownership of peter's directory you want to be sftp accessible
to the superuser:
mark at neuskeutel:~$ sudo chown root.root /home/peter
Step 8: Now we change peter's home directory (normally /home/peter) to /:
sudo usermod -d / peter
*I skipped step 8 and left their home directory as /home/username. My user
can connect, and their starting directory is /home/username, but they can
still navigate outside of this directory and have access to the entire
filesystem. How do I prevent this?*
*Thanks.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20110630/598e50b5/attachment.html
More information about the wplug
mailing list