Difference between pages "Category:FLOP" and "SFTP Only Access"

From Funtoo
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
This page lists all FLOPs, also known as Funtoo Linux Optimization Proposals. FLOPs are proposals created by our community that describe ways that Funtoo Linux can be improved. You are welcome to submit a FLOP on the wiki for any initiative you have that you think may improve Funtoo Linux. Use FLOPs for things that aren't bugs or small fixes, but for larger initiatives that will make Funtoo Linux better.
+
= Context =
== How To Add a FLOP ==
+
 
To create a new FLOP, enter the name of your FLOP in the field below and click "Create or Edit". You will then be prompted to fill out a form for the FLOP, and enter wikitext on the bottom. When saved, your FLOP will have the prefix "FLOP:" to clearly designate it as a FLOP, so it's not necessary to include phrases like "Funtoo Linux" or "Proposal" in your FLOP name.
+
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
{{#forminput:form=FLOP|query string=namespace=FLOP}}
+
* does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
This category uses the form [[Has default form::FLOP]].
+
* is able to transfer files back and forth on the box via SFTP
 +
* does not have access to a shell
 +
 
 +
Such a SFTP only access is easy to setup:
 +
 
 +
# Assign a group (e.g. ''sftponly'') to users that must be restricted to a SFTP-only account
 +
# Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
 +
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
 +
 
 +
= Quick start =
 +
 
 +
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
 +
 
 +
<pre>
 +
# groupadd sftponly
 +
</pre>
 +
 
 +
Next in the configuration of OpenSSH (located in '''/etc/sshd/sshd_config''') locate:
 +
 
 +
<pre>
 +
Subsystem      sftp    /usr/lib64/misc/sftp-server
 +
</pre>
 +
 
 +
and change it for:
 +
 
 +
<pre>
 +
Subsystem      sftp    internal-sftp
 +
</pre>
 +
 
 +
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Assuming that ''sftponly'' is the group you use for for your restricted users, just add to the file '''/etc/sshd/sshd_config''' the following statement:
 +
 
 +
<pre>
 +
# Restricted users, no TCP connexions bouncing, no X tunneling.
 +
Match group sftponly
 +
        ChrootDirectory /home/%u
 +
        X11Forwarding no
 +
        AllowTcpForwarding no
 +
        ForceCommand internal-sftp
 +
</pre>
 +
 
 +
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
 +
* a shell => ssh login@host
 +
* a kind of dedicated ftp daemon (sftp-server) => sftp user@host
 +
 
 +
TBC
 +
 
 +
[[Category:HOWTO]]

Revision as of 16:50, 30 August 2011

Context

In some cases, it can be useful to set up an access on your Funtoo box such as a user:

  • does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
  • is able to transfer files back and forth on the box via SFTP
  • does not have access to a shell

Such a SFTP only access is easy to setup:

  1. Assign a group (e.g. sftponly) to users that must be restricted to a SFTP-only account
  2. Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
  3. Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)

Quick start

First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:

# groupadd sftponly

Next in the configuration of OpenSSH (located in /etc/sshd/sshd_config) locate:

Subsystem      sftp    /usr/lib64/misc/sftp-server

and change it for:

Subsystem      sftp    internal-sftp

Now the $100 question: "how can OpenSSH can be told to restrict a user access to a simple sftp session?" Simple! Assuming that sftponly is the group you use for for your restricted users, just add to the file /etc/sshd/sshd_config the following statement:

# Restricted users, no TCP connexions bouncing, no X tunneling.
Match group sftponly
        ChrootDirectory /home/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:

  • a shell => ssh login@host
  • a kind of dedicated ftp daemon (sftp-server) => sftp user@host

TBC