[wplug] sftp only account
Arnaud
lists at arnaudloos.com
Thu Jun 30 20:53:50 EDT 2011
*Thanks Max and Bill. You were right, step 8 did it. I don't properly
understand chroot and I didn't see how my desired outcome would be achieved.
I had previously included step 8 but when I connected I was in / with
privileges to browse around, that's the reason I later omitted it. My
mistake was that although I issued a service restart after making the change
I missed the part where the system responded that the restart request
failed. Adding step 8 and rebooting the system solved the problem.
Thanks.
*
On Thu, Jun 30, 2011 at 4:06 PM, Max Putas <maxblaze at gmail.com> wrote:
> Arnaud,
>
> I think it's because you left out step 8. Since this is a chroot jail,
> their home directory will be root (/) from the perspective of the
> user.
>
> On Thu, Jun 30, 2011 at 3:57 PM, Arnaud <lists at arnaudloos.com> wrote:
> > I would like to setup an account on my system that allows read only SFTP
> > access to a user and allows them access to only a single folder
> > (/home/username).
> >
> > I found directions on how to do so
> > (http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html
> ),
> > summarized below.
> >
> > Step 1: If it doesn't exist yet, create a group for the users you want to
> > have sftp access only:
> > mark at neuskeutel:~$ sudo groupadd sftponly
> >
> > Step 2: Add user "peter" to this group:
> > mark at neuskeutel:~$ sudo adduser peter sftponly
> >
> > Step 3: Install openssh-server if it's not installed yet.
> > mark at neuskeutel:~$ sudo apt-get install openssh-server
> >
> > Step 4: Open the default OpenSSH server configuration for editing:
> > mark at neuskeutel:~$ sudo nano /etc/ssh/sshd_config
> >
> > Step 5: Change the default sftp server from:
> > Subsystem sftp /usr/lib/openssh/sftp-server
> >
> > to
> > Subsystem sftp internal-sftp
> >
> > Step 6: Some users can only use sftp, but not other OpenSSH features like
> > remote login. Let's create a rule for that group of users (we'll create
> the
> > group afterwards). Add the following section to the bottom of
> > /etc/ssh/sshd_config:
> > Match group sftponly
> > ChrootDirectory /home/%u
> > X11Forwarding no
> > AllowTcpForwarding no
> > ForceCommand internal-sftp
> >
> > Step 7: Pass ownership of peter's directory you want to be sftp
> accessible
> > to the superuser:
> > mark at neuskeutel:~$ sudo chown root.root /home/peter
> >
> > Step 8: Now we change peter's home directory (normally /home/peter) to /:
> > sudo usermod -d / peter
> >
> > I skipped step 8 and left their home directory as /home/username. My user
> > can connect, and their starting directory is /home/username, but they can
> > still navigate outside of this directory and have access to the entire
> > filesystem. How do I prevent this?
> >
> > Thanks.
> >
> >
> > _______________________________________________
> > wplug mailing list
> > wplug at wplug.org
> > http://www.wplug.org/mailman/listinfo/wplug
> >
> >
>
>
>
> --
> Thanks,
>
> Max Putas
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20110630/0ac39808/attachment.html
More information about the wplug
mailing list