from http://www.techrepublic.com/blog/linux-and-open-source/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/
#In the file /etc/ssh/sshd_config :
#make sure the sftp subservice is defined with the line (only once)
Subsystem sftp /usr/lib/openssh/sftp-server
# add the following lines (only once)
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
#Then on the linux shell, create the sftp group (only once)
sudo addgroup sftp
#Create the user and set its properties (for each sftp user)
sudo adduser joe
sudo usermod -G sftp joe
sudo usermod -s /bin/false joe
sudo chown root:root /home/joe
sudo chmod 0755 /home/joe
sudo usermod -G sftp joe
sudo mkdir /home/joe/Data
sudo chown -R joe:joe /home/joe/Data
The usermod command above will add user joe to the sftp group and set their shell to /bin/false so they absolutely cannot ever get shell access. The chown and chmod commands will set the required permissions for the directory. With these permissions set, the user will be allowed to upload and download files, but cannot create directories or files in the root directory. In other words, if this is used for Web hosting, ensure that a subdirectory in the root directory, such as /home/joe/public_html/ is available and owned by the user; this way they can write to and create directories in /home/joe/public_html/, but cannot make changes to the root directory (/home/joe), itself.
#In the file /etc/ssh/sshd_config :
#make sure the sftp subservice is defined with the line (only once)
Subsystem sftp /usr/lib/openssh/sftp-server
# add the following lines (only once)
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
#Then on the linux shell, create the sftp group (only once)
sudo addgroup sftp
#Create the user and set its properties (for each sftp user)
sudo adduser joe
sudo usermod -G sftp joe
sudo usermod -s /bin/false joe
sudo chown root:root /home/joe
sudo chmod 0755 /home/joe
sudo usermod -G sftp joe
sudo mkdir /home/joe/Data
sudo chown -R joe:joe /home/joe/Data
The usermod command above will add user joe to the sftp group and set their shell to /bin/false so they absolutely cannot ever get shell access. The chown and chmod commands will set the required permissions for the directory. With these permissions set, the user will be allowed to upload and download files, but cannot create directories or files in the root directory. In other words, if this is used for Web hosting, ensure that a subdirectory in the root directory, such as /home/joe/public_html/ is available and owned by the user; this way they can write to and create directories in /home/joe/public_html/, but cannot make changes to the root directory (/home/joe), itself.
No comments:
Post a Comment