SFTP Only Access
[edit] Context
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
- does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
- is able to transfer files back and forth on the box via SFTP
- does not have access to a shell
Such a SFTP only access is easy to setup:
- Assign a group (e.g. sftponly) to users that must be restricted to a SFTP-only account
- Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
- Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
[edit] Quick start
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
# groupadd sftponly
Next in the configuration of OpenSSH (located in /etc/sshd/sshd_config) locate:
Subsystem sftp /usr/lib64/misc/sftp-server
and change it for:
Subsystem sftp internal-sftp
Now the $100 question: "how can OpenSSH can be told to restrict a user access to a simple sftp session?" Simple! Assuming that sftponly is the group you use for for your restricted users, just add to the file /etc/sshd/sshd_config the following statement:
# Restricted users, no TCP connexions bouncing, no X tunneling.
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
- a shell => ssh login@host
- a kind of dedicated ftp daemon (sftp-server) => sftp user@host
TBC
