Filesharing with chrooted SFTP
So you've followed our SSH tutorial and now you're ready to hand out accounts to your friends, right? Well, there are times when you want to securely share files with them, but don't want them having shell access to your server. OpenSSH includes SFTP, the secure file transfer protocol, which provides both authentication and encryption. Normally, you need to give a user an SSH login for them to be able to transfer files via SFTP, but there’s also a useful option to disallow shell access and only let them transfer files. What's more, you can lock them to a certain directory so they can't browse your filesystem. This tutorial will show you how to do just that. I’m assuming you already have sshd configured and running.
Let's create a new user for them to use and edit the sshd_config file to chroot them.
# adduser Username: gnub Full name: Some Random GNUb Uid (Leave empty for default): Login group [gnub]: Login group is gnub. Invite gnub into other groups? : Login class [default]: Shell (sh csh tcsh bash rbash nologin) [sh]: nologin Home directory [/home/gnub]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Enter password: Enter password again: Lock out the account after creation? [no]: Username : gnub Password : ***** Full Name : Some Random GNUb Uid : 1004 Class : Groups : gnub Home : /home/gnub Home Mode : Shell : /usr/sbin/nologin Locked : no OK? (yes/no): yes adduser: INFO: Successfully added (gnub) to the user database. Add another user? (yes/no): no Goodbye!
Take note of the "nologin" shell - that's not the default. Next we edit the SSH configuration:
# vi /etc/ssh/sshd_config
Add something like this to the bottom:
Match User gnub PasswordAuthentication yes ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no AllowAgentForwarding no PermitTunnel no PermitTTY no X11Forwarding no
Restart the daemon.
# /etc/rc.d/sshd restart
Next, we set some permissions and make a directory for them to actually put files in.
# chown root:gnub /home/gnub # mkdir /home/gnub/files # chown gnub:gnub /home/gnub/files
Now you can give your friend the SFTP login and they will be locked in the home directory, but able to upload and download things to and from the "files" directory. If they try to login via SSH to get a shell, they should get the error:
This service allows sftp connections only.
Too bad for them.