How do I create a guest ftp user and give access to specific sub-folder with SSH?
Here's an overview of how you'd create the user, install vsftpd, and configured the chroot in CentOS Linux.
Creating the user and setting a password:
[root@server ~]# useradd -s /sbin/nologin ftpuser
[root@server ~]# passwd ftpuser
Changing password for user ftpuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@server ~]#
Note that the "-s /sbin/nologin" option to useradd will allow the user to connect via FTP, but disable them from accessing via SSH.
Installing the FTP server:
[root@server ~]# yum install vsftpd
Total download size: 141 k
Is this ok [y/N]: y
Downloading Packages:
vsftpd-2.0.5-16.el5_6.1.i386.rpm | 141 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : vsftpd 1/1
Installed:
vsftpd.i386 0:2.0.5-16.el5_6.1
Complete!
[root@server ~]#
Adding the directive to lock local users in their home directories:
[root@server ~]# echo "chroot_local_user=YES" >> /etc/vsftpd/vsftpd.conf
[root@server ~]#
Starting the FTP server:
[root@server ~]# /etc/init.d/vsftpd start
Starting vsftpd for vsftpd: [ OK ]
[root@server ~]#
Here I created a test file in the user's home directory:
[root@server ~]# touch /home/ftpuser/testfile
[root@server ~]#
And finally, I connected via FTP:
[root@server ~]# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> dir
227 Entering Passive Mode (127,0,0,1,231,117)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 May 04 13:29 testfile
226 Directory send OK.
ftp>
You can see that the user is told they're in "/", when really they're in their home directory /home/ftpuser that was created when we made the user. They are not allowed to go up a level in the filesystem:
ftp> pwd
257 "/"
ftp> cd ..
250 Directory successfully changed.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (127,0,0,1,163,240)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 May 04 13:29 testfile
226 Directory send OK.
ftp>
And they're not allowed to connect via SSH:
[root@server ~]# ssh ftpuser@localhost
ftpuser@localhost's password:
Last login: Wed May 4 08:38:54 2011 from localhost.localdomain
This account is currently not available.
Connection to localhost closed.
[root@server ~]#
Bonus: configure vsftpd to start on boot:
[root@server ~]# chkconfig vsftpd on
[root@server ~]#
Finally, I'm not sure if GoDaddy has SELinux enabled on their servers by default. If they do, you may receive this error when trying to log in with your FTP user:
[root@server ~]# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): ftpuser
331 Please specify the password.
Password:
500 OOPS: chroot
Login failed.
ftp>
SELinux is an additional layer of ACLs built into the system to provide very granular security options, but is a bit complicated. Many people disable it, and I'd recommend you do so as well if you're just starting out. Here's how you set it to permissive mode temporarily:
[root@server ~]# setenforce 0
[root@server ~]#
And if you'd like to do so permanently, you can edit /etc/sysconfig/selinux.
Related videos on Youtube
gourav
Updated on September 18, 2022Comments
-
gourav almost 2 years
I just got a virtual dedicated server at GoDaddy. I got the Simple Control Panel. There doesn't seem to be a way to create a guest ftp user through this control panel and I was told it must be created through SSH. I have a program called Putty which can log into the server via SSH. I'm familiar with logging in but does anyone know what the commands are to be used to create a guest ftp user and give them Read and Write access to a particular folder?
Regards gourav