[wplug] sftp only account

Max Putas maxblaze at gmail.com
Thu Jun 30 16:06:59 EDT 2011


Arnaud,

I think it's because you left out step 8. Since this is a chroot jail,
their home directory will be root (/) from the perspective of the
user.

On Thu, Jun 30, 2011 at 3:57 PM, Arnaud <lists at arnaudloos.com> wrote:
> I would like to setup an account on my system that allows read only SFTP
> access to a user and allows them access to only a single folder
> (/home/username).
>
> I found directions on how to do so
> (http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html),
> summarized below.
>
> Step 1: If it doesn't exist yet, create a group for the users you want to
> have sftp access only:
> mark at neuskeutel:~$ sudo groupadd sftponly
>
> Step 2: Add user "peter" to this group:
> mark at neuskeutel:~$ sudo adduser peter sftponly
>
> Step 3: Install openssh-server if it's not installed yet.
> mark at neuskeutel:~$ sudo apt-get install openssh-server
>
> Step 4: Open the default OpenSSH server configuration for editing:
> mark at neuskeutel:~$ sudo nano /etc/ssh/sshd_config
>
> Step 5: Change the default sftp server from:
> Subsystem sftp /usr/lib/openssh/sftp-server
>
> to
> Subsystem sftp internal-sftp
>
> Step 6: Some users can only use sftp, but not other OpenSSH features like
> remote login. Let's create a rule for that group of users (we'll create the
> group afterwards). Add the following section to the bottom of
> /etc/ssh/sshd_config:
> Match group sftponly
> ChrootDirectory /home/%u
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
>
> Step 7: Pass ownership of peter's directory you want to be sftp accessible
> to the superuser:
> mark at neuskeutel:~$ sudo chown root.root /home/peter
>
> Step 8: Now we change peter's home directory (normally /home/peter) to /:
> sudo usermod -d / peter
>
> I skipped step 8 and left their home directory as /home/username. My user
> can connect, and their starting directory is /home/username, but they can
> still navigate outside of this directory and have access to the entire
> filesystem. How do I prevent this?
>
> Thanks.
>
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
>



-- 
Thanks,

Max Putas


More information about the wplug mailing list