Skip to main content.

Filesharing with chrooted SFTP

2014-02-12

Live demo in BSD Now Episode 024.

So you've followed our SSH tutorial and now you're ready to hand out accounts to your friends, right? Well, there are times when you want to securely share files with them, but don't want them having shell access to your server. OpenSSH includes SFTP, the secure file transfer protocol, which provides both authentication and encryption. Normally, you need to give a user an SSH login for them to be able to transfer files via SFTP, but there’s also a useful option to disallow shell access and only let them transfer files. What's more, you can lock them to a certain directory so they can't browse your filesystem. This tutorial will show you how to do just that. I’m assuming you already have sshd configured and running.

Let's create a new user for them to use and edit the sshd_config file to chroot them.

# adduser

Username: gnub
Full name: Some Random GNUb
Uid (Leave empty for default):
Login group [gnub]:
Login group is gnub. Invite gnub into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash nologin) [sh]: nologin
Home directory [/home/gnub]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username   : gnub
Password   : *****
Full Name  : Some Random GNUb
Uid     : 1004
Class     :
Groups   : gnub
Home       : /home/gnub
Home Mode  :
Shell     : /usr/sbin/nologin
Locked   : no
OK? (yes/no): yes
adduser: INFO: Successfully added (gnub) to the user database.
Add another user? (yes/no): no
Goodbye!

Take note of the "nologin" shell - that's not the default. Next we edit the SSH configuration:

# vi /etc/ssh/sshd_config

Add something like this to the bottom:

Match User gnub
    ChrootDirectory %h
    PasswordAuthentication yes
    ForceCommand internal-sftp
    PermitTTY no
    X11Forwarding no
    AllowTcpForwarding no
    AllowAgentForwarding no

Restart the daemon.

# /etc/rc.d/sshd restart

Next, we set some permissions and make a directory for them to actually put files in.

# chown root:gnub /home/gnub
# mkdir /home/gnub/files
# chown gnub:gnub /home/gnub/files

Now you can give your friend the SFTP login and they will be locked in the home directory, but able to upload and download things to and from the "files" directory. If they try to login via SSH to get a shell, they should get the error:

This service allows sftp connections only.

Too bad for them.

Originally written by TJ for bsdnow.tv | Last updated: 2014/02/12

Latest News

AsiaBSDCon 2014

2014-03-05

Both Allan and Kris will be going to AsiaBSDCon this year, so episode 28 will be shorter than usual. We'll be back the following week with a huge episode. Hopefully they can get some interviews there!...

Christmas & New Year

2013-12-19

Episode 16 was just uploaded, and that's the last one we'll be doing live for this year. Episode 17 will be on Christmas, and feature a prerecorded interview with Scott Long about his BSD magic over at Netflix. Thanks for watching everyone! We look forward to more BSD Now in...

Welcome iXsystems

2013-12-11

As you may have noticed in Episode 015, BSD Now has gotten our first sponsor! We're very happy to welcome iXsystems to the BSD Now team. In case you aren't familiar with them, they have quite a long history with FreeBSD. Their current CTO is in fact Jordan Hubbard, one of...

Update 2013/11/26

2013-11-26

Hi BSD Now fans. Here's a sneak peek at our upcoming schedule: 11/27: Jordan Hubbard, co-founder of FreeBSD and creator of ports, to talk about FreeBSD's founding and future. The tutorial will be an update to the OpenBSD router guide with some new improvements I've made. 12/04: George Wilson from Delphix...


Episode 034: It's Gonna Get NASty

2014-04-23

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Interview - John Hixson - john@ixsystems.com / @bsdwhore FreeNAS development All the tutorials are posted in their entirety at bsdnow.tv Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv If...

Episode 033: Certified Package Delivery

2014-04-16

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines BSDCan schedule, speakers and talks This year's BSDCan will kick off on May 14th in Ottawa The list of speakers is also out And finally the talks everyone's looking forward to Lots of great tutorials and...

Episode 032: PXE Dust

2014-04-09

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines FreeBSD ASLR status update Shawn Webb gives us a little update on his address space layout randomization work for FreeBSD He's implemented execbase randomization for position-independent executables (which OpenBSD also just enabled globally in...

Episode 031: Edgy BSD Users

2014-04-01

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines Preorders for cool BSD stuff The 2nd edition of The Design and Implementation of the FreeBSD Operating System is up for preorder We talked to GNN briefly about it, but he and Kirk have...