[wplug] sftp only account

Bill Moran wmoran at potentialtech.com
Thu Jun 30 16:04:41 EDT 2011

In response to Arnaud <lists at arnaudloos.com>:

> *I would like to setup an account on my system that allows read only SFTP
> access to a user and allows them access to only a single folder
> (/home/username).
> I found directions on how to do so (
> http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html),
> summarized below.
> *Step 1: If it doesn't exist yet, create a group for the users you want to
> have sftp access only:
> mark at neuskeutel:~$ sudo groupadd sftponly
> Step 2: Add user "peter" to this group:
> mark at neuskeutel:~$ sudo adduser peter sftponly
> Step 3: Install openssh-server if it's not installed yet.
> mark at neuskeutel:~$ sudo apt-get install openssh-server
> Step 4: Open the default OpenSSH server configuration for editing:
> mark at neuskeutel:~$ sudo nano /etc/ssh/sshd_config
> Step 5: Change the default sftp server from:
> Subsystem sftp /usr/lib/openssh/sftp-server
> to
> Subsystem sftp internal-sftp
> Step 6: Some users can only use sftp, but not other OpenSSH features like
> remote login. Let's create a rule for that group of users (we'll create the
> group afterwards). Add the following section to the bottom of
> /etc/ssh/sshd_config:
> Match group sftponly
> ChrootDirectory /home/%u
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
> Step 7: Pass ownership of peter's directory you want to be sftp accessible
> to the superuser:
> mark at neuskeutel:~$ sudo chown root.root /home/peter
> Step 8: Now we change peter's home directory (normally /home/peter) to /:
> sudo usermod -d / peter
> *I skipped step 8 and left their home directory as /home/username. My user
> can connect, and their starting directory is /home/username, but they can
> still navigate outside of this directory and have access to the entire
> filesystem. How do I prevent this?*

I would guess that your failure to do step 8 is what caused the problem.

The SSH config is chrooting to /home/$user, and it doesn't seem as if
that chroot is succeeding.  If doing step 8 doesn't fix it, then there
are a few things to try:
1) 2x check step 6
2) Did you restart sshd after doing step 6?
3) Run sshd in debug mode and see if it reports any errors on connect

Bill Moran

More information about the wplug mailing list