Below you'll find how to setup a user to have limited access (chroot) to your Ubuntu Server. I wanted to setup an account for my friend but didn't want him to have the ability to browse my server. After browsing the web I consolidated these steps a successful and stress free setup (I hope):
Create a new user (if necessary):
sudo adduser --system -no-create-home USERNAME
This creates a new user w/o a home folder. I did this because I already had a folder I wanted to give as the primary access point. If you wish you can just use:
sudo adduser USERNAME
if you want to make the user's home folder the point of access.
Make the folder if it is not already created:
sudo mkdir /shared/folder
Change ownership of the folder:
sudo chown root:root /shared/folder
sudo chmod 755 /shared/folder
I've found that if you do not set it to root you won't be able to successfully connect via sftp.
Edit the sshd_config file using nano or your preferred text editor:
sudo nano /etc/ssh/sshd_config
Comment out the line and add the line below:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Add this section at the end of the text file then save:
Match User USERNAME
ChrootDirectory /shared/directory
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no
Restart the ssh service:
sudo service ssh restart
Now, try using an FTP app, such as Transmit and connect using the new user.
Hope this helped.
*I only needed to add a user. It might be better to create an sftp-group and then use "Match Group sftp-group" if you plan on having multiple users. Then in the future you can just add the newly create user to the group without having to edit the sshd_config file. %h points to the users home folder
Match Group GROUPNAME
ChrootDirectory %h
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no
Create a new user (if necessary):
sudo adduser --system -no-create-home USERNAME
This creates a new user w/o a home folder. I did this because I already had a folder I wanted to give as the primary access point. If you wish you can just use:
sudo adduser USERNAME
if you want to make the user's home folder the point of access.
Make the folder if it is not already created:
sudo mkdir /shared/folder
Change ownership of the folder:
sudo chown root:root /shared/folder
sudo chmod 755 /shared/folder
I've found that if you do not set it to root you won't be able to successfully connect via sftp.
Edit the sshd_config file using nano or your preferred text editor:
sudo nano /etc/ssh/sshd_config
Comment out the line and add the line below:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Add this section at the end of the text file then save:
Match User USERNAME
ChrootDirectory /shared/directory
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no
Restart the ssh service:
sudo service ssh restart
Now, try using an FTP app, such as Transmit and connect using the new user.
Hope this helped.
*I only needed to add a user. It might be better to create an sftp-group and then use "Match Group sftp-group" if you plan on having multiple users. Then in the future you can just add the newly create user to the group without having to edit the sshd_config file. %h points to the users home folder
Match Group GROUPNAME
ChrootDirectory %h
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no
No comments:
Post a Comment