http://www.funtoo.org/index.php?title=SFTP_Only_Access&feed=atom&action=historySFTP Only Access - Revision history2013-06-19T19:04:54ZRevision history for this page on the wikiMediaWiki 1.20.6http://www.funtoo.org/index.php?title=SFTP_Only_Access&diff=5571&oldid=prev404 Error at 16:50, 30 August 20112011-08-30T16:50:18Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:50, 30 August 2011</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 32:</td>
<td colspan="2" class="diff-lineno">Line 32:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div></pre></div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div></pre></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! <del class="diffchange diffchange-inline">Just </del>add to the file '''/etc/sshd/sshd_config''' the following statement:</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! <ins class="diffchange diffchange-inline">Assuming that ''sftponly'' is the group you use for for your restricted users, just </ins>add to the file '''/etc/sshd/sshd_config''' the following statement:</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div><pre></div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div><pre></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"># Restricted users, no TCP connexions bouncing, no X tunneling.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Match group sftponly</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Match group sftponly</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>         ChrootDirectory /home/%u</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>         ChrootDirectory /home/%u</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 42:</td>
<td colspan="2" class="diff-lineno">Line 43:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div></pre></div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div></pre></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">* a shell => ssh login@host</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">* a kind of dedicated ftp daemon (sftp-server) => sftp user@host</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">TBC</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:HOWTO]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:HOWTO]]</div></td></tr>
<!-- diff cache key mediawiki:diff:version:1.11a:oldid:5570:newid:5571 -->
</table>404 Errorhttp://www.funtoo.org/index.php?title=SFTP_Only_Access&diff=5570&oldid=prev404 Error: Created page with "= Context = In some cases, it can be useful to set up an access on your Funtoo box such as a user: * does not see the whole contents of the machine but, instead, remains "jailed..."2011-08-30T12:59:36Z<p>Created page with "= Context = In some cases, it can be useful to set up an access on your Funtoo box such as a user: * does not see the whole contents of the machine but, instead, remains "jailed..."</p>
<p><b>New page</b></p><div>= Context =<br />
<br />
In some cases, it can be useful to set up an access on your Funtoo box such as a user:<br />
* does not see the whole contents of the machine but, instead, remains "jailed" in a home directory<br />
* is able to transfer files back and forth on the box via SFTP<br />
* does not have access to a shell<br />
<br />
Such a SFTP only access is easy to setup:<br />
<br />
# Assign a group (e.g. ''sftponly'') to users that must be restricted to a SFTP-only account<br />
# Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access <br />
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)<br />
<br />
= Quick start =<br />
<br />
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:<br />
<br />
<pre><br />
# groupadd sftponly<br />
</pre><br />
<br />
Next in the configuration of OpenSSH (located in '''/etc/sshd/sshd_config''') locate:<br />
<br />
<pre><br />
Subsystem sftp /usr/lib64/misc/sftp-server<br />
</pre><br />
<br />
and change it for:<br />
<br />
<pre><br />
Subsystem sftp internal-sftp<br />
</pre><br />
<br />
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Just add to the file '''/etc/sshd/sshd_config''' the following statement:<br />
<br />
<pre><br />
Match group sftponly<br />
ChrootDirectory /home/%u<br />
X11Forwarding no<br />
AllowTcpForwarding no<br />
ForceCommand internal-sftp<br />
</pre><br />
<br />
<br />
[[Category:HOWTO]]</div>404 Error