Set Up restricted SFTP Access Using OpenSSH
Linux, Sysadmin
#Set Up restricted SFTP Access You can use OpenSSH to allow users to have restricted SFTP access to your filesystem.
This guide is for OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 running on Ubuntu Server 14.04.1 LTS.
Set Up a New User
# Create a new user
useradd guest-user
# Set a password
passwd guest-user
# Set the home directory for the new user to the target site directory
usermod -d /var/www/yoursite.com/public_html/subsite guest-user
Block SSH Access
Prevent the user from accessing the server’s shell - so they can’t access by SSH:
sudo usermod -s /bin/false guest-user
Configure SSH
First make a backup of sshd_config. Then edit the SSH config file:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
sudo nano /etc/ssh/sshd_config
First set the sftp subsystem:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Then append this stanza to the end of the file:
Match user guest-user
ChrootDirectory /var/www/yoursite.com/public_html/subsite
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Note that I had trouble making this work by matching Groups - which would obviously be a more efficient way of setting this up.
Ctrl + o to save, Ctrl + x to exit.
Restart SSH - use THIS:
sudo service ssh restart
DON’T use this:
sudo /etc/init.d/ssh restart
If you try to connect via SSH for the new user, you’ll see this:
david@david-desktop:~$ ssh -p 1234 guest-user@123.45.67.890
guest-user@123.45.67.890's password:
Could not chdir to home directory /var/www/yoursite.com/public_html/subsite: No such file or directory
This service allows sftp connections only.
Connection to 123.45.67.890 closed.
Remember to set the correct port for SSH access when accessing via SFTP.
External Resources
- SFTP Chapter, Open SSH Cookbook - an excellent free online book that outlines how to configure SSH.
- Ubuntu Guide to OpenSSH Server
- http://serverfault.com/questions/392601/how-to-add-user-with-sftp-ftp-access-to-var-www-html-website-abc-folder-on-a
- http://www.fullybaked.co.uk/articles/chroot-ssh-ftp-users-to-home-directory
comments powered by Disqus