sftp with restricted folder
I recently needed to set up an ftp server (or sftp server) that allows the user to transfer files. I had some restrictions:
- The account cannot have
ssh
access since I don't want an unauthorized person to run jobs on the server. - The account needs to be restricted to a single directory. I don't want the account to have access to all files on the server.
I first followed this guide to get proftpd up with an account. However, I kept getting errors trying to log in using Nautilus or Filezilla. The error came from PASV
mode, which I think stems from a firewall/NAT issue. I next tried this to use vsftpd. Still no go (same error).
I decided to use sftp since I know for sure ssh works and that it's more secure. Now that I think about it, none of my server has an ftp server running since sftp is more secure and Nautilus and Filezilla supports the sftp protocol.
From this post, I re-discovered rssh and the native support from recent versions of openssh. The "match user" method for openssh and the rssh method did not work for me. I finally stumbled on this post that made things work.
sudo apt-get install openssh ## this is already installed for me
## modify /etc/ssh/sshd_config
# Use the following line to *replace* any existing 'Subsystem' line
Subsystem sftp internal-sftp
# These lines must appear at the *end* of sshd_config
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
## in shell
sudo groupadd sftponly
sudo useradd newuser
sudo passwd newuser ## set password
sudo usermod -g sftponly -s /bin/false -d /home/newuser newuser
sudo chown root:root /home/newuser
cd /home/newuser
sudo mkdir upload ## upload files in here
sudo chown newuser:newuser upload
sudo /etc/init.d/ssh restart
Now, ssh with the newuser
should not work, and sftp (via command line, nautilus, or filezilla) should only access one location.
Note that /home/newuser
is own by root, so newuser
can't do much in there. Create a directory upload
, and make newuser
the owner.