[wplug] sftp only account

Bill Moran wmoran at potentialtech.com
Thu Jun 30 16:04:41 EDT 2011 

In response to Arnaud <lists at arnaudloos.com>:

> *I would like to setup an account on my system that allows read only SFTP
> access to a user and allows them access to only a single folder
> (/home/username).
> 
> I found directions on how to do so (
> http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html),
> summarized below.
> 
> *Step 1: If it doesn't exist yet, create a group for the users you want to
> have sftp access only:
> mark at neuskeutel:~$ sudo groupadd sftponly
> 
> Step 2: Add user "peter" to this group:
> mark at neuskeutel:~$ sudo adduser peter sftponly
> 
> Step 3: Install openssh-server if it's not installed yet.
> mark at neuskeutel:~$ sudo apt-get install openssh-server
> 
> Step 4: Open the default OpenSSH server configuration for editing:
> mark at neuskeutel:~$ sudo nano /etc/ssh/sshd_config
> 
> Step 5: Change the default sftp server from:
> Subsystem sftp /usr/lib/openssh/sftp-server
> 
> to
> Subsystem sftp internal-sftp
> 
> Step 6: Some users can only use sftp, but not other OpenSSH features like
> remote login. Let's create a rule for that group of users (we'll create the
> group afterwards). Add the following section to the bottom of
> /etc/ssh/sshd_config:
> Match group sftponly
> ChrootDirectory /home/%u
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
> 
> Step 7: Pass ownership of peter's directory you want to be sftp accessible
> to the superuser:
> mark at neuskeutel:~$ sudo chown root.root /home/peter
> 
> Step 8: Now we change peter's home directory (normally /home/peter) to /:
> sudo usermod -d / peter
> 
> *I skipped step 8 and left their home directory as /home/username. My user
> can connect, and their starting directory is /home/username, but they can
> still navigate outside of this directory and have access to the entire
> filesystem. How do I prevent this?*

I would guess that your failure to do step 8 is what caused the problem.

The SSH config is chrooting to /home/$user, and it doesn't seem as if
that chroot is succeeding.  If doing step 8 doesn't fix it, then there
are a few things to try:
1) 2x check step 6
2) Did you restart sshd after doing step 6?
3) Run sshd in debug mode and see if it reports any errors on connect

-- 
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/

More information about the wplug mailing list