sFTP: Restrict SSH users

Step-by-Step descriptions of how to do things.

sFTP: Restrict SSH users

Postby ^rooker » Thu Sep 07, 2017 2:28 am

This HowTo shows how to setup a Debian/Ubuntu based Linux server in a way that allows some users to have full SSH access, while others can only access their home folders by sFTP.

NOTE: The first steps (1-3) must only be executed once per system. :!:

1) Create the group "ftpusers"
Code: Select all
$ groupadd -r ftpusers


2) Add "sftp-server" binary as shell:
As root run:
Code: Select all
$ echo "/usr/lib/sftp-server" >> /etc/shells


3) Modify your sshd_config for chroot:
Add the following block to your /etc/ssh/sshd_config file:
# Restrict FTP-only users:
Match Group ftpusers
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp


Don't forget to restart your sshd for these changes to take effect:
Code: Select all
$ service ssh restart


4) Create a new user
...and add it to "ftpusers", and change its shell to "sftp-server".
Code: Select all
$ usermod -a -G ftpusers USERNAME
$ usermod -s /usr/lib/sftp-server USERNAME

Then set root as the owner of the USERNAME's home folder. This is required for chroot to work.
Code: Select all
$ chown root ~USERNAME
$ chmod 755 ~$USERNAME


That should be it. 8)
Now you can serve sFTP accounts without worrying about users wandering around on your server...

Links:
  • 0

Jumping out of an airplane is not a basic instinct. Neither is breathing underwater. But put the two together and you're traveling through space!
User avatar
^rooker
Site Admin
 
Posts: 1444
Joined: Fri Aug 29, 2003 8:39 pm
Reputation: 0

BASH Script

Postby ^rooker » Thu Sep 07, 2017 3:25 am

If you intend to write a BASH script for creating new users like that, here's how you get the HOME folder of another user:
Code: Select all
HOME=$(eval echo ~"$USERNAME")

:D
  • 0

Jumping out of an airplane is not a basic instinct. Neither is breathing underwater. But put the two together and you're traveling through space!
User avatar
^rooker
Site Admin
 
Posts: 1444
Joined: Fri Aug 29, 2003 8:39 pm
Reputation: 0

Bad ownership of home directory

Postby ^rooker » Mon Oct 09, 2017 6:21 pm

If an error message like this appears when trying to login over sFTP, then things are not correctly configured:
Connection reset by peer
Could not connect to server

In /var/log/auth.log, a corresponding entry could look like this:
fatal: bad ownership or modes for chroot directory "/home/USERNAME"


The chroot target directory must be owned by root - and there must not be group write permissions to that folder.

Links:
  • 0

Jumping out of an airplane is not a basic instinct. Neither is breathing underwater. But put the two together and you're traveling through space!
User avatar
^rooker
Site Admin
 
Posts: 1444
Joined: Fri Aug 29, 2003 8:39 pm
Reputation: 0


Return to HowTo's

Who is online

Users browsing this forum: No registered users and 2 guests

Who is online over last 24 hours

Users browsed this forum in the last 24 hours: Google [Bot] and 11 guests

cron
Reputation System ©'