Thursday, August 29, 2013

How to setup an sftp user to have limited access in Ubuntu Server

Below you'll find how to setup a user to have limited access (chroot) to your Ubuntu Server.  I wanted to setup an account for my friend but didn't want him to have the ability to browse my server.  After browsing the web I consolidated these steps a successful and stress free setup (I hope):

Create a new user (if necessary):

sudo adduser --system -no-create-home USERNAME

This creates a new user w/o a home folder.  I did this because I already had a folder I wanted to give as the primary access point.  If you wish you can just use:

sudo adduser USERNAME

if you want to make the user's home folder the point of access.

Make the folder if it is not already created:

sudo mkdir /shared/folder

Change ownership of the folder:

sudo chown root:root /shared/folder
sudo chmod 755 /shared/folder

I've found that if you do not set it to root you won't be able to successfully connect via sftp.

Edit the sshd_config file using nano or your preferred text editor:

sudo nano /etc/ssh/sshd_config

Comment out the line and add the line below:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Add this section at the end of the text file then save:

  ChrootDirectory /shared/directory
  ForceCommand internal-sftp
  AllowTCPForwarding no
  X11Forwarding no

Restart the ssh service:

sudo service ssh restart

Now, try using an FTP app, such as Transmit and connect using the new user.

Hope this helped.

*I only needed to add a user.  It might be better to create an sftp-group and then use "Match Group sftp-group" if you plan on having multiple users.  Then in the future you can just add the newly create user to the group without having to edit the sshd_config file.  %h points to the users home folder

  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTCPForwarding no
  X11Forwarding no

No comments:

Post a Comment