API tools faq
paste
Guest User

Untitled

a guest
Feb 16th, 2019
139
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.12 KB | None | 0 0
raw download clone embed print report
  1. # sftp user
  2.  
  3. So you want to configure an sftp only user?
  4.  
  5. ## Setup a group for sftp only users
  6.  
  7. groupadd sftponly
  8.  
  9. ## Make chroot jail directory
  10.  
  11. For security reasons, one ought to use chroot jailing, which confines a user
  12. to the specified directory and its tree, but nothing else.
  13.  
  14. **NOTE**: For the chroot jail to work properly, users' home directories (and all
  15. directories in the path) **must** be owned by root, and must not be writable by
  16. groups (g-w).
  17.  
  18. Replace `username` below with your chosen username.
  19. Replace `public` below with any directory you want to use (e.g. `dropbox`,
  20. `incoming`).
  21.  
  22. # make a directory for all sftp users
  23. sudo mkdir /sftp
  24.  
  25. # make the user's home directory
  26. # note that the user will not be able to write to /sftp/username
  27. sudo mkdir /sftp/username
  28.  
  29. # make the user's public directory
  30. # this will be writable.
  31. sudo mkdir /sftp/username/public
  32.  
  33. # set the ownership of the user's public directory
  34. sudo chown username:sftponly /sftp/username/public
  35.  
  36.  
  37. ## Edit `sshd_config`
  38.  
  39. Edit `/etc/ssh/sshd_config` with your favorite editor.
  40.  
  41. Add the following to the end of the file:
  42.  
  43. Match Group sftponly
  44. ChrootDirectory /sftp/%u
  45. X11Forwarding no
  46. AllowTcpForwarding no
  47. ForceCommand internal-sftp
  48.  
  49.  
  50. And restart the ssh server. If you're using upstart:
  51.  
  52. sudo restart ssh
  53.  
  54. ## Add the sftp user
  55.  
  56. Replace `username` below with your chosen username.
  57. Replace `public` below if you did above.
  58.  
  59. # add the user
  60. # -g sftponly: sets the group
  61. # -d /username: sets the user's home directory
  62. # -s /usr/sbin/nologin: no shell. (confirm path with `which nologin`)
  63. sudo useradd -g sftponly -d /public -s /usr/sbin/nologin username
  64.  
  65. # change the user's password (use a long random hash)
  66. sudo passwd username
  67.  
  68.  
  69. ## Et Voila!
  70.  
  71. ssh connections should not work:
  72.  
  73. % ssh username@localhost
  74. username@localhost's password:
  75. This service allows sftp connections only.
  76. Connection to localhost closed.
  77. %
  78.  
  79. sftp connections should work:
  80.  
  81. % sftp username@localhost
  82. username@localhost's password:
  83. Connected to localhost.
  84. sftp>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!