34

I need to give SFTP access to a directory within my webroot on my server. I've set up ben_files as a user and have set his home directory to

/var/www/vhosts/mydomain.example/files

That's all fine if he connects with plain old FTP - he's restricted just to that directory, but to enable SFTP I had to add him to bin/bash shell, which suddenly opens up my entire server...

Is there a way of giving him SFTP access but without opening up all my directories? I'd really like him restricted to only his home.

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
MrFidge
  • 2,107
  • 11
  • 40
  • 63

5 Answers5

47

OpenSSH≥4.8 supports a ChrootDirectory directive.

Add to /etc/sshd_config or /etc/ssh/sshd_config or whatever your setup's global sshd config file is:

Match user ben_files
        # The following two directives force ben_files to become chrooted
        # and only have sftp available.  No other chroot setup is required.
        ChrootDirectory /var/www/vhosts/mydomain.example/files
        ForceCommand internal-sftp
        # For additional paranoia, disallow all types of port forwardings.
        AllowTcpForwarding no
        GatewayPorts no
        X11Forwarding no
Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
ephemient
  • 198,619
  • 38
  • 280
  • 391
  • Hiya, I get some errors - Starting sshd: /etc/ssh/sshd_config: line 113: Bad configuration option: Match AND /etc/ssh/sshd_config: line 115: Bad configuration option: ForceCommand. These both stop sshd coming back up again. Any ideas? – MrFidge Oct 07 '09 at 10:44
  • You probably don't have a new enough SSH version. – ephemient Oct 07 '09 at 14:29
  • ahh yeah, i missed that bit in your answer - we're on 4.3, i'll look at getting that upgraded. – MrFidge Oct 08 '09 at 09:27
  • Oh wow, 4.3 is 4 years old by now; you're still using it? Upgrade! 5.3 is the current latest release. – ephemient Oct 08 '09 at 22:20
  • That's plesk for you... They package up all sorts of old versions with custom tweaks. Hate it tbh. – MrFidge Feb 17 '10 at 10:45
  • @matt ryan: The goal here is to deny the user all access other than sftp. – ephemient Nov 05 '10 at 01:27
  • 3
    @ephemient yes, they were denied using sftp. but, i realized my issue was ownership over the home directory. i set it root:root 755 and it's all good – Matt Ryan Nov 06 '10 at 16:24
3

You might try setting his shell to /bin/rbash

RESTRICTED SHELL If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell. It behaves identically to bash with the exception that the following are disallowed or not performed:

   ·      changing directories with cd

plus more...

Make sure you fully understand what is allowed and disallowed before you use this.

Dennis Williamson
  • 346,391
  • 90
  • 374
  • 439
  • rbash is in the distro, but it doesnt appear to allow sftp - i'll have to look into the configuration i guess. Thanks for the tip tho! – MrFidge Oct 06 '09 at 20:20
3

Take a look at rssh. It may already be packaged for your o/s distribution.

Ned Deily
  • 83,389
  • 16
  • 128
  • 151
0

Use pam_chroot.

Here is a good manual: Chrooted SSH/SFTP Tutorial (Debian Etch)

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
rvs
  • 1,251
  • 13
  • 22
-2

You can also set the users shell to /bin/false by using:

usermod -s /bin/false username

Restricts them from ssh'ing in and can only sftp (or ftp, if it's setup)

I use this for sftp usres, along with the mentioned chroot setup (covered by other answers).

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
DotrainExpress
  • 9
  • 3