Linux shell to restrict sftp users to their home directories?

T

5

34

I need to give SFTP access to a directory within my webroot on my server. I've set up ben_files as a user and have set his home directory to

/var/www/vhosts/mydomain.example/files

That's all fine if he connects with plain old FTP - he's restricted just to that directory, but to enable SFTP I had to add him to bin/bash shell, which suddenly opens up my entire server...

Is there a way of giving him SFTP access but without opening up all my directories? I'd really like him restricted to only his home.

Try answered 6/10, 2009 at 17:16 Comment(0)

R

48

OpenSSH≥4.8 supports a ChrootDirectory directive.

Add to /etc/sshd_config or /etc/ssh/sshd_config or whatever your setup's global sshd config file is:

Match user ben_files
        # The following two directives force ben_files to become chrooted
        # and only have sftp available.  No other chroot setup is required.
        ChrootDirectory /var/www/vhosts/mydomain.example/files
        ForceCommand internal-sftp
        # For additional paranoia, disallow all types of port forwardings.
        AllowTcpForwarding no
        GatewayPorts no
        X11Forwarding no

Rossie answered 7/10, 2009 at 2:48 Comment(7)

Hiya, I get some errors - Starting sshd: /etc/ssh/sshd_config: line 113: Bad configuration option: Match AND /etc/ssh/sshd_config: line 115: Bad configuration option: ForceCommand. These both stop sshd coming back up again. Any ideas? – Try 7/10, 2009 at 10:44

You probably don't have a new enough SSH version. – Rossie 7/10, 2009 at 14:29

ahh yeah, i missed that bit in your answer - we're on 4.3, i'll look at getting that upgraded. – Try 8/10, 2009 at 9:27

Oh wow, 4.3 is 4 years old by now; you're still using it? Upgrade! 5.3 is the current latest release. – Rossie 8/10, 2009 at 22:20

That's plesk for you... They package up all sorts of old versions with custom tweaks. Hate it tbh. – Try 17/2, 2010 at 10:45

@matt ryan: The goal here is to deny the user all access other than sftp. – Rossie 5/11, 2010 at 1:27

@Rossie yes, they were denied using sftp. but, i realized my issue was ownership over the home directory. i set it root:root 755 and it's all good – Enthrall 6/11, 2010 at 16:24

M

3

You might try setting his shell to /bin/rbash

RESTRICTED SHELL If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell. It behaves identically to bash with the exception that the following are disallowed or not performed:
   ·      changing directories with cd

plus more...

Make sure you fully understand what is allowed and disallowed before you use this.

Malawi answered 6/10, 2009 at 17:30 Comment(1)

rbash is in the distro, but it doesnt appear to allow sftp - i'll have to look into the configuration i guess. Thanks for the tip tho! – Try 6/10, 2009 at 20:20

P

3

Take a look at rssh. It may already be packaged for your o/s distribution.

Proliferate answered 6/10, 2009 at 17:41 Comment(2)

It's not packaged, but that is perfect! I'll look at getting that installed asap ;) Thanks! – Try 6/10, 2009 at 20:19

rssh is now unmaintained, and lacks security updates. – Caesura 9/7, 2021 at 14:35

D

0

Use pam_chroot.

Here is a good manual: Chrooted SSH/SFTP Tutorial (Debian Etch)

Draw answered 7/10, 2009 at 20:18 Comment(0)

O

-2

You can also set the users shell to /bin/false by using:

usermod -s /bin/false username

Restricts them from ssh'ing in and can only sftp (or ftp, if it's setup)

I use this for sftp usres, along with the mentioned chroot setup (covered by other answers).

Ootid answered 20/2, 2014 at 14:36 Comment(2)

When I set my shell to /bin/false, I can no longer sftp or scp to it! – Latrena 28/8, 2014 at 22:20

/bin/false restricts any kind of login attempt. Your information is false. Use /sbin/nologin instead – Misfeasor 17/2, 2015 at 20:48

Recommended topics

Hot tags