[wplug] sftp only account

[Arnaud]

*I would like to setup an account on my system that allows read only SFTP
access to a user and allows them access to only a single folder
(/home/username).

I found directions on how to do so (
http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html),
summarized below.

*Step 1: If it doesn't exist yet, create a group for the users you want to
have sftp access only:
mark at neuskeutel:~$ sudo groupadd sftponly

Step 2: Add user "peter" to this group:
mark at neuskeutel:~$ sudo adduser peter sftponly

Step 3: Install openssh-server if it's not installed yet.
mark at neuskeutel:~$ sudo apt-get install openssh-server

Step 4: Open the default OpenSSH server configuration for editing:
mark at neuskeutel:~$ sudo nano /etc/ssh/sshd_config

Step 5: Change the default sftp server from:
Subsystem sftp /usr/lib/openssh/sftp-server

to
Subsystem sftp internal-sftp

Step 6: Some users can only use sftp, but not other OpenSSH features like
remote login. Let's create a rule for that group of users (we'll create the
group afterwards). Add the following section to the bottom of
/etc/ssh/sshd_config:
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Step 7: Pass ownership of peter's directory you want to be sftp accessible
to the superuser:
mark at neuskeutel:~$ sudo chown root.root /home/peter

Step 8: Now we change peter's home directory (normally /home/peter) to /:
sudo usermod -d / peter

*I skipped step 8 and left their home directory as /home/username. My user
can connect, and their starting directory is /home/username, but they can
still navigate outside of this directory and have access to the entire
filesystem. How do I prevent this?*

*Thanks.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20110630/598e50b5/attachment.html