Difference between pages "SFTP Only Access" and "File:Fqi-022.png"

(Difference between pages)
 
(Maintenance script uploaded "File:Fqi-022.png": Importing image file)
 
Line 1: Line 1:
= Context =
+
Funtoo Quick Install Image 022
 
+
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
+
* does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
+
* is able to transfer files back and forth on the box via SFTP
+
* does not have access to a shell
+
 
+
Such a SFTP only access is easy to setup:
+
 
+
# Assign a group (e.g. ''sftponly'') to users that must be restricted to a SFTP-only account
+
# Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
+
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
+
 
+
= Quick start =
+
 
+
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
+
 
+
<pre>
+
# groupadd sftponly
+
</pre>
+
 
+
Next in the configuration of OpenSSH (located in '''/etc/sshd/sshd_config''') locate:
+
 
+
<pre>
+
Subsystem      sftp    /usr/lib64/misc/sftp-server
+
</pre>
+
 
+
and change it for:
+
 
+
<pre>
+
Subsystem      sftp    internal-sftp
+
</pre>
+
 
+
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Assuming that ''sftponly'' is the group you use for for your restricted users, just add to the file '''/etc/sshd/sshd_config''' the following statement:
+
 
+
<pre>
+
# Restricted users, no TCP connexions bouncing, no X tunneling.
+
Match group sftponly
+
        ChrootDirectory /home/%u
+
        X11Forwarding no
+
        AllowTcpForwarding no
+
        ForceCommand internal-sftp
+
</pre>
+
 
+
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
+
* a shell => ssh login@host
+
* a kind of dedicated ftp daemon (sftp-server) => sftp user@host
+
 
+
TBC
+
 
+
[[Category:HOWTO]]
+

Revision as of 23:44, 20 October 2013

Funtoo Quick Install Image 022