|
|
(One intermediate revision by the same user not shown) |
Line 1: |
Line 1: |
| In this post, I'll show you how to set up secure ftp (SFTP) access to your Ubuntu server. (Instructions for Debian are very similar: leave out the sudo part and follow these steps as root:)
| | Something I've wanted to do for quite some time and now that I'm building an Ubuntu server to replace my Fedora Core attic server, now was a good time to look into this. |
|
| |
|
| For this to work, you'll need Ubuntu 8.10 "Intrepid", Debian 5.0 "Lenny" or newer. In this example, mark is the user that can gain superuser rights through sudo. "peter" and a few other users are the ones I want to give sftp access to their personal folder, but not shell access or anything else.
| | http://wiki.tony-su.com/How_to_restrict_sftp_user_in_Ubuntu |
|
| |
|
| Step 1: If it doesn't exist yet, create a group for the users you want to have sftp access only:
| | See page history if link is down. |
| <pre>
| |
| sudo groupadd sftponly
| |
| </pre>
| |
|
| |
|
| Step 2: Add user "peter" to this group:
| | [[Category:Linux]] |
| <pre>
| |
| sudo adduser peter sftponly
| |
| </pre>
| |
| | |
| Step 3: Install openssh-server if it's not installed yet.
| |
| <pre>
| |
| sudo apt-get install openssh-server
| |
| </pre>
| |
| | |
| Step 4: Open the default OpenSSH server configuration for editing:
| |
| <pre>
| |
| sudo nano /etc/ssh/sshd_config
| |
| </pre>
| |
| | |
| Step 5: Change the default sftp server from:
| |
| <pre>
| |
| Subsystem sftp /usr/lib/openssh/sftp-server
| |
| </pre>
| |
| to
| |
| <pre>
| |
| Subsystem sftp internal-sftp
| |
| </pre>
| |
| | |
| Step 6: Some users can only use sftp, but not other OpenSSH features like remote login. Let's create a rule for that group of users (we'll create the group afterwards). Add the following section to the bottom of /etc/ssh/sshd_config:
| |
| <pre>
| |
| Match group sftponly
| |
| ChrootDirectory /home/%u
| |
| X11Forwarding no
| |
| AllowTcpForwarding no
| |
| ForceCommand internal-sftp
| |
| </pre>
| |
| | |
| Step 7: Pass ownership of peter's directory you want to be sftp accessible to the superuser:
| |
| <pre>
| |
| sudo chown root.root /home/peter
| |
| </pre>
| |
| | |
| Step 8: Now we change peter's home directory (normally /home/peter) to /:
| |
| <pre>
| |
| sudo usermod -d / peter
| |
| </pre>
| |
| | |
| Step 9: Repeat steps 2, 7 and 8 for any other users that you want to give sftp access.
| |
| | |
| Step 10: restart sshd
| |
| <pre>
| |
| sudo /etc/init.d/ssh restart
| |
| </pre>
| |
| | |
| Note: to disable the sftp user to use ssh login, change to
| |
| <pre>
| |
| sudo usermod -s=/bin/false username
| |
| </pre>
| |
| | |
| reference: http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html
| |