Dev Notes

Software Development Resources by David Egan.

Set Up restricted SFTP Access Using OpenSSH


Linux, Sysadmin
David Egan

#Set Up restricted SFTP Access You can use OpenSSH to allow users to have restricted SFTP access to your filesystem.

This guide is for OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 running on Ubuntu Server 14.04.1 LTS.

Set Up a New User

# Create a new user
useradd guest-user

# Set a password
passwd guest-user

# Set the home directory for the new user to the target site directory
usermod -d /var/www/yoursite.com/public_html/subsite guest-user

Block SSH Access

Prevent the user from accessing the server’s shell - so they can’t access by SSH:

sudo usermod -s /bin/false guest-user

Configure SSH

First make a backup of sshd_config. Then edit the SSH config file:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
sudo nano /etc/ssh/sshd_config

First set the sftp subsystem:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Then append this stanza to the end of the file:

Match user guest-user
ChrootDirectory /var/www/yoursite.com/public_html/subsite
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Note that I had trouble making this work by matching Groups - which would obviously be a more efficient way of setting this up.

Ctrl + o to save, Ctrl + x to exit.

Restart SSH - use THIS:

sudo service ssh restart

DON’T use this:

sudo /etc/init.d/ssh restart

If you try to connect via SSH for the new user, you’ll see this:

david@david-desktop:~$ ssh -p 1234 guest-user@123.45.67.890
guest-user@123.45.67.890's password:
Could not chdir to home directory /var/www/yoursite.com/public_html/subsite: No such file or directory
This service allows sftp connections only.
Connection to 123.45.67.890 closed.

Remember to set the correct port for SSH access when accessing via SFTP.

External Resources

comments powered by Disqus