SFTP Only Access

From Funtoo Linux
Revision as of 12:59, 30 August 2011 by 404 Error (Talk)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Context

In some cases, it can be useful to set up an access on your Funtoo box such as a user:

  • does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
  • is able to transfer files back and forth on the box via SFTP
  • does not have access to a shell

Such a SFTP only access is easy to setup:

  1. Assign a group (e.g. sftponly) to users that must be restricted to a SFTP-only account
  2. Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
  3. Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)

Quick start

First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences: 

# groupadd sftponly

Next in the configuration of OpenSSH (located in /etc/sshd/sshd_config) locate: 

Subsystem      sftp    /usr/lib64/misc/sftp-server

and change it for: 

Subsystem      sftp    internal-sftp

Now the $100 question: "how can OpenSSH can be told to restrict a user access to a simple sftp session?" Simple! Just add to the file /etc/sshd/sshd_config the following statement: 

Match group sftponly
        ChrootDirectory /home/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
Retrieved from "http://www.funtoo.org/index.php?title=SFTP_Only_Access&oldid=5570"
Personal tools
Namespaces

Variants
Actions
Categories
Toolbox
Stuff