sFTP: Restrict SSH users

Step-by-Step descriptions of how to do things.
Post Reply
User avatar
^rooker
Site Admin
Posts: 1481
Joined: Fri Aug 29, 2003 8:39 pm

sFTP: Restrict SSH users

Post by ^rooker »

This HowTo shows how to setup a Debian/Ubuntu based Linux server in a way that allows some users to have full SSH access, while others can only access their home folders by sFTP.

NOTE: The first steps (1-3) must only be executed once per system. :!:

1) Create the group "ftpusers"

Code: Select all

$ groupadd -r ftpusers
2) Add "sftp-server" binary as shell:
As root run:

Code: Select all

$ echo "/usr/lib/sftp-server" >> /etc/shells
3) Modify your sshd_config for chroot:
Add the following block to your /etc/ssh/sshd_config file:
# Restrict FTP-only users:
Match Group ftpusers
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Don't forget to restart your sshd for these changes to take effect:

Code: Select all

$ service ssh restart
4) Create a new user
...and add it to "ftpusers", and change its shell to "sftp-server".

Code: Select all

$ usermod -a -G ftpusers USERNAME
$ usermod -s /usr/lib/sftp-server USERNAME
Then set root as the owner of the USERNAME's home folder. This is required for chroot to work.

Code: Select all

$ chown root ~USERNAME
$ chmod 755 ~$USERNAME
That should be it. 8)
Now you can serve sFTP accounts without worrying about users wandering around on your server...

Links:
Jumping out of an airplane is not a basic instinct. Neither is breathing underwater. But put the two together and you're traveling through space!
Top
User avatar
^rooker
Site Admin
Posts: 1481
Joined: Fri Aug 29, 2003 8:39 pm

BASH Script

Post by ^rooker »

If you intend to write a BASH script for creating new users like that, here's how you get the HOME folder of another user:

Code: Select all

HOME=$(eval echo ~"$USERNAME")
:D
Jumping out of an airplane is not a basic instinct. Neither is breathing underwater. But put the two together and you're traveling through space!
Top
User avatar
^rooker
Site Admin
Posts: 1481
Joined: Fri Aug 29, 2003 8:39 pm

Bad ownership of home directory

Post by ^rooker »

If an error message like this appears when trying to login over sFTP, then things are not correctly configured:
Connection reset by peer
Could not connect to server
In /var/log/auth.log, a corresponding entry could look like this:
fatal: bad ownership or modes for chroot directory "/home/USERNAME"
The chroot target directory must be owned by root - and there must not be group write permissions to that folder.

Links:
Jumping out of an airplane is not a basic instinct. Neither is breathing underwater. But put the two together and you're traveling through space!
Top
Post Reply

Return to “HowTo's”