Difference between revisions of "SFTP Only Access"

 
Line 1: Line 1:
= Context =
+
== Context ==
  
 
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
 
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
Line 12: Line 12:
 
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
 
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
  
= Quick start =
+
== Quick start ==
  
 
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
 
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
 
+
<console>
<pre>
+
###i## groupadd sftponly
# groupadd sftponly
+
</console>
</pre>
+
  
 
Next in the configuration of OpenSSH (located in '''/etc/sshd/sshd_config''') locate:
 
Next in the configuration of OpenSSH (located in '''/etc/sshd/sshd_config''') locate:
 
+
<console>
<pre>
+
###i## nano /etc/sshd/sshd_config
 
Subsystem      sftp    /usr/lib64/misc/sftp-server
 
Subsystem      sftp    /usr/lib64/misc/sftp-server
</pre>
+
</console>
  
and change it for:
+
and change it to:
  
<pre>
+
<console>
 +
###i## nano /etc/sshd/sshd_config
 
Subsystem      sftp    internal-sftp
 
Subsystem      sftp    internal-sftp
</pre>
+
</console>
  
 
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Assuming that ''sftponly'' is the group you use for for your restricted users, just add to the file '''/etc/sshd/sshd_config''' the following statement:
 
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Assuming that ''sftponly'' is the group you use for for your restricted users, just add to the file '''/etc/sshd/sshd_config''' the following statement:
  
<pre>
+
<console>
 +
###i## nano /etc/sshd/sshd_config
 
# Restricted users, no TCP connexions bouncing, no X tunneling.
 
# Restricted users, no TCP connexions bouncing, no X tunneling.
 
Match group sftponly
 
Match group sftponly
Line 41: Line 42:
 
         AllowTcpForwarding no
 
         AllowTcpForwarding no
 
         ForceCommand internal-sftp
 
         ForceCommand internal-sftp
</pre>
+
</console>
  
 
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
 
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
Line 47: Line 48:
 
* a kind of dedicated ftp daemon (sftp-server) => sftp user@host
 
* a kind of dedicated ftp daemon (sftp-server) => sftp user@host
  
TBC
+
{{Note}}TBC
  
 
[[Category:HOWTO]]
 
[[Category:HOWTO]]

Revision as of 17:21, 13 January 2014

Context

In some cases, it can be useful to set up an access on your Funtoo box such as a user:

  • does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
  • is able to transfer files back and forth on the box via SFTP
  • does not have access to a shell

Such a SFTP only access is easy to setup:

  1. Assign a group (e.g. sftponly) to users that must be restricted to a SFTP-only account
  2. Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
  3. Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)

Quick start

First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:

# groupadd sftponly

Next in the configuration of OpenSSH (located in /etc/sshd/sshd_config) locate:

# nano /etc/sshd/sshd_config
Subsystem      sftp    /usr/lib64/misc/sftp-server

and change it to:

# nano /etc/sshd/sshd_config
Subsystem      sftp    internal-sftp

Now the $100 question: "how can OpenSSH can be told to restrict a user access to a simple sftp session?" Simple! Assuming that sftponly is the group you use for for your restricted users, just add to the file /etc/sshd/sshd_config the following statement:

# nano /etc/sshd/sshd_config
# Restricted users, no TCP connexions bouncing, no X tunneling.
Match group sftponly
        ChrootDirectory /home/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:

  • a shell => ssh login@host
  • a kind of dedicated ftp daemon (sftp-server) => sftp user@host

Note

{{{1}}}

TBC