Skip to main content.

Filesharing with chrooted SFTP

2014-02-12

Live demo in BSD Now Episode 024 | Originally written by TJ for bsdnow.tv | Last updated: 2014/05/08

So you've followed our SSH tutorial and now you're ready to hand out accounts to your friends, right? Well, there are times when you want to securely share files with them, but don't want them having shell access to your server. OpenSSH includes SFTP, the secure file transfer protocol, which provides both authentication and encryption. Normally, you need to give a user an SSH login for them to be able to transfer files via SFTP, but there’s also a useful option to disallow shell access and only let them transfer files. What's more, you can lock them to a certain directory so they can't browse your filesystem. This tutorial will show you how to do just that. I’m assuming you already have sshd configured and running.

Let's create a new user for them to use and edit the sshd_config file to chroot them.

# adduser

Username: gnub
Full name: Some Random GNUb
Uid (Leave empty for default):
Login group [gnub]:
Login group is gnub. Invite gnub into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash nologin) [sh]: nologin
Home directory [/home/gnub]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username   : gnub
Password   : *****
Full Name  : Some Random GNUb
Uid     : 1004
Class     :
Groups   : gnub
Home       : /home/gnub
Home Mode  :
Shell     : /usr/sbin/nologin
Locked   : no
OK? (yes/no): yes
adduser: INFO: Successfully added (gnub) to the user database.
Add another user? (yes/no): no
Goodbye!

Take note of the "nologin" shell - that's not the default. Next we edit the SSH configuration:

# vi /etc/ssh/sshd_config

Add something like this to the bottom:

Match User gnub
    PasswordAuthentication yes
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no
    AllowAgentForwarding no
    PermitTunnel no
    PermitTTY no
    X11Forwarding no

Restart the daemon.

# /etc/rc.d/sshd restart

Next, we set some permissions and make a directory for them to actually put files in.

# chown root:gnub /home/gnub
# mkdir /home/gnub/files
# chown gnub:gnub /home/gnub/files

Now you can give your friend the SFTP login and they will be locked in the home directory, but able to upload and download things to and from the "files" directory. If they try to login via SSH to get a shell, they should get the error:

This service allows sftp connections only.

Too bad for them.

Latest News

New discussion segment

2015-01-17

We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?

2014-11-26

We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...

EuroBSDCon 2014

2014-09-18

As you might expect, both Allan and Kris will be at EuroBSDCon this year. They'll be busy hunting down various BSD developers and forcing them to do interviews, but don't hesitate to say hi if you're a listener!...

BSDCan 2014

2014-04-30

We just wrapped up episode 35 after having some horrible audio issues. Sorry about the quality being lower than usual, we did the best we could given the circumstances. Next week we've got a normal episode, but the following week Allan and Kris will be at BSDCan. That week will...


Episode 086: Business as Usual

2015-04-22

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines Optimizing TLS for high bandwidth applications Netflix has released a report on some of their recent activities, pushing lots of traffic through TLS on FreeBSD TLS has traditionally had too much overhead for the...

Episode 085: PIE in the Sky

2015-04-15

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines Solaris' networking future is with OpenBSD A curious patch from someone with an Oracle email address was recently sent in to one of the OpenBSD mailing lists It was revealed that future releases of...

Episode 084: pkg remove freebsd-update

2015-04-08

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines Xen dom0 in FreeBSD 11-CURRENT FreeBSD has just gotten dom0 support for the Xen hypervisor, something NetBSD has had for a while now The ports tree will now have a Xen kernel and toolstack,...

Episode 083: woN DSB

2015-04-01

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines Major changes coming in PCBSD 11 The PCBSD team has announced that version 11.0 will have some more pretty big changes (as they've been known to do lately with NTP daemons and firewalls) Switching...