Step 1 — Creating a New User
Step 2 — Creating a Directory for File Transfers
There are a number of ways to work around this ownership issue. In this tutorial, we’ll create and use
/var/sftp/uploads as the target upload directory.
/var/sftp will be owned by root and will be unwritable by other users; the subdirectory
/var/sftp/uploads will be owned by sammyfiles, so that user will be able to upload files to it.
First, create the directories.
mkdir -p /var/sftp/uploads
Set the owner of
/var/sftp to root.
chown root:root /var/sftp
Give root write permissions to the same directory, and give other users only read and execute rights.
chmod 755 /var/sftp
Change the ownership on the
uploads directory to sammyfiles.
chown sammyfiles:sammyfiles /var/sftp/uploads
Step 3 — Restricting Access to One Directory
Scroll to the very bottom of the file and append the following configuration snippet:
. . . Match User sammyfiles ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Then save and close the file.
Here’s what each of those directives do:
Match Usertells the SSH server to apply the following commands only to the user specified. Here, we specify sammyfiles.
ForceCommand internal-sftpforces the SSH server to run the SFTP server upon login, disallowing shell access.
PasswordAuthentication yesallows password authentication for this user.
ChrootDirectory /var/sftp/ensures that the user will not be allowed access to anything beyond the
/var/sftpdirectory. You can learn more about chroot in this chroot tutorial.
AllowTcpForwarding no. and
X11Forwarding nodisables port forwarding, tunneling and X11 forwarding for this user.
This set of commands, starting with
Match User, can be copied and repeated for different users too. Make sure to modify the username in the
Match User line accordingly.
To apply the configuration changes, restart the service.
systemctl restart sshd
You have now configured the SSH server to restrict access to file transfer only for sammyfiles. The last step is testing the configuration to make sure it works as intended.
Step 4 — Verifying the Configuration
Let’s ensure that our new sammyfiles user can only transfer files.
Logging in to the server as sammyfiles using normal shell access should no longer be possible.
Categorised as: Linux
Comments are disabled on this post