Create a SFTP user to access only one directory. [closed]

Asked 16/4, 2014 at 4:14 Answered 16/4, 2014 at 5:28

I need to create a user which can only SFTP to specific directory and take a copy of some infomation. that is it. I keep looking online and they bring up information about chroot and modifying the the sshd_config.

So far I can just

add the user "useradd sftpexport"
create it without a home directory "-M"
set its login location "-d /u02/export/cdrs" (Where the information is stored)
not allow it to use ssh "-s /bin/false"

useradd sftpexport -M -d /u02/export/cdrs -s /bin/false

Can anyone suggest what am meant to edit so the user can only login and copy the file off?

Pantile answered 16/4, 2014 at 4:14 Comment(2)

possible duplicate of Linux shell to restrict sftp users to their home directories? – Glyceric 16/4, 2014 at 7:5

Did you find what was the issue with your useradd command? (without having to create a new user group) – Rexer 8/1, 2016 at 18:28

I prefer to create a user group sftp and restrict users in that group to their home directory.

First, edit your /etc/ssh/sshd_config file and add this at the bottom.

Match Group sftp
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command)

Add a new sftp group, add your user to the group, restrict him from ssh access and define his home directory.

groupadd sftp
usermod username -g sftp
usermod username -s /bin/false
usermod username -d /home/username

Restart ssh:

sudo service ssh restart

If you are still experiencing problems, check that the directory permissions are correct on the home directory. Adjust the 755 value appropriately for your setup.

sudo chmod 755 /home/username

EDIT: Based on the details of your question, it looks like you are just missing the sshd_config portion. In your case, substitute sftp with sftpexport. Also be sure that the file permissions are accessible on the /u02/export/cdrs directory.

An even better setup (and there are even better setups than what I am about to propose) is to symlink the /u02/export/cdrs directory to the user home directory.

Rosen answered 16/4, 2014 at 4:23 Comment(4)

question does the directory have to be owned by him? as it own by another user. I have added him to the same group as said user as well. – Pantile 16/4, 2014 at 4:42

Please read up on user privileges. The 3 numbers correspond to user, group and others (world). It is imperative that you learn what these mean and how to use them safely. Do a google search but here is one post thegeekstuff.com/2010/04/unix-file-and-directory-permissions – Rosen 16/4, 2014 at 14:58

One side-note of the bin/false. For readers, you might check whether you actually need it before copy-and-pasting. For example there is an related answer serverfault.com/a/519218/394787 – Neale 27/5, 2019 at 8:15

Don't forget to change default Subsystem in /etc/ssh/sshd_config from #Subsystem sftp /usr/lib/openssh/sftp-server to Subsystem sftp internal-sftp – Commove 13/4, 2020 at 16:28

You could need to add a restricted shell for this user can put some files there. You can use rssh tool for that.

usermod -s /usr/bin/rssh sftpexport

Enable allowed protocols in config /etc/rssh.conf.

Poling answered 16/4, 2014 at 5:28 Comment(1)

rssh is now unmaintained. – Sasin 9/7, 2021 at 20:25

Recommended topics

Hot tags