Actions

Restrict SFTP User to Home Directory: Difference between revisions

From Mike Beane's Blog

m (New page: In this post, I'll show you how to set up secure ftp (SFTP) access to your Ubuntu server. (Instructions for Debian are very similar: leave out the sudo part and follow these steps as root:...)
 
mNo edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
In this post, I'll show you how to set up secure ftp (SFTP) access to your Ubuntu server. (Instructions for Debian are very similar: leave out the sudo part and follow these steps as root:)
Something I've wanted to do for quite some time and now that I'm building an Ubuntu server to replace my Fedora Core attic server, now was a good time to look into this.


For this to work, you'll need Ubuntu 8.10 "Intrepid", Debian 5.0 "Lenny" or newer. In this example, mark is the user that can gain superuser rights through sudo. "peter" and a few other users are the ones I want to give sftp access to their personal folder, but not shell access or anything else.
http://wiki.tony-su.com/How_to_restrict_sftp_user_in_Ubuntu


Step 1: If it doesn't exist yet, create a group for the users you want to have sftp access only:
See page history if link is down.
<pre>
sudo groupadd sftponly
</pre>


Step 2: Add user "peter" to this group:
[[Category:Linux]]
<pre>
sudo adduser peter sftponly
</pre>
 
Step 3: Install openssh-server if it's not installed yet.
<pre>
sudo apt-get install openssh-server
</pre>
 
Step 4: Open the default OpenSSH server configuration for editing:
<pre>
sudo nano /etc/ssh/sshd_config
</pre>
 
Step 5: Change the default sftp server from:
<pre>
Subsystem sftp /usr/lib/openssh/sftp-server
</pre>
to
<pre>
Subsystem sftp internal-sftp
</pre>
 
Step 6: Some users can only use sftp, but not other OpenSSH features like remote login. Let's create a rule for that group of users (we'll create the group afterwards). Add the following section to the bottom of /etc/ssh/sshd_config:
<pre>
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
</pre>
 
Step 7: Pass ownership of peter's directory you want to be sftp accessible to the superuser:
<pre>
sudo chown root.root /home/peter
</pre>
 
Step 8: Now we change peter's home directory (normally /home/peter) to /:
<pre>
sudo usermod -d / peter
</pre>
 
Step 9: Repeat steps 2, 7 and 8 for any other users that you want to give sftp access.
 
Step 10: restart sshd
<pre>
sudo /etc/init.d/ssh restart
</pre>
 
Note: to disable the sftp user to use ssh login, change to
<pre>
sudo usermod -s=/bin/false username
</pre>
 
reference: http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html

Latest revision as of 00:30, 10 December 2010

Something I've wanted to do for quite some time and now that I'm building an Ubuntu server to replace my Fedora Core attic server, now was a good time to look into this.

http://wiki.tony-su.com/How_to_restrict_sftp_user_in_Ubuntu

See page history if link is down.