How to configure SFTP so it behaves like ftp chrooting user to his home directory?
Solution 1
In addition to Stephane's answer I'd like to point out that there is FTPS, too. FTPS is the classic FTP protocol over an SSL-secured connection. If you meant this you'd have to adjust your question of course, but it would be a completely different question then.
There are two variations of FTPS, one were the control channel is secured (credentials etc) and another where also the data channel is secured. However, as Stephane already pointed out, the protocols are different, including capabilities and commands.
Concerning your comment. You can configure in /etc/ssh/sshd_config to allow based on certain criteria only a certain directory structure. Here's an example that will confine all members of the group sftponly to the /home folder. Adjust to your needs:
Match group sftponly
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
PasswordAuthentication no
As you can see it also sets other options. Strictly speaking for the functionality you ask you'd only need this:
Match group sftponly
ChrootDirectory /home
ForceCommand internal-sftp
But of course these options prevent users from (ab)using other SSH facilities.
Consult man sshd_config for more details in particular on the Match directive. You can also match per-user, per-host and per (remote) address.
Solution 2
vsftpd is a FTP server implementing the FTP protocol. Some extensions for encryption are available for FTP, but they are completely different from SFTP which is a subsystem of SSH.
If you want to use sftp, you need to configure a ssh server and enable the sftp subsystem (see the sshd_config man page for details). It's also possible to configure sftp with chrooted user areas.
Related videos on Youtube
08 : 19
12 : 20
20 : 03
20 : 07
02 : 07
Comments
-
Mangesh Jogade over 1 year
I have installed
vsftpdutility on Fedora 10 to restrict users to their (chroot) home directories. It works fine when I useftpprompt to connect. However it does not work when i connect usingsftp.What changes are required in order to achieve same functionality with
sftp?-
vonbrand about 11 yearsFedora 10 is very old, better update to current Fedora 18. If Fedora's short lifetime is a problem to you, check out CentOS <centos.org>, a Red Hat Enterrise clone.
-
Mangesh Jogade about 11 yearsActually this fedora is a testing server. I am trying to implement a POC over there.
-
-
Mangesh Jogade about 11 yearsCould you please provide any informative link describing procedure, that would really help?
-
Mangesh Jogade about 11 yearsMy requirement is that user should ONLY be able to log in through SFTP.So i need kind of restricted SFTP environment for those users.but again they should be able to create and get files from their home directories.
-
0xC0000022L about 11 years@Mangesh Jogade: added to my answer. But please fix your question. There is no such thing as SFTPD and I have no idea what you mean by "SFTP prompt". There is an
sftpsubsystem to thesshd, that's all. -
Mangesh Jogade about 11 yearsi have changed sftpd to vsftpd in my question. and yes i am referring to sftp subsystem only
-
0xC0000022L about 11 years@Mangesh Jogade: so what is unclear about my answer? Any questions? It's of course possible that the version of OpenSSH that comes with Fedora 10 is too old, but you can always build a newer one, of course.
-
Mangesh Jogade about 11 yearsI tried doing modifications as per your suggestion, however when i write "ChrootDirectory /home" in ssd_config for any user, that user is not able to log in through sftp .server returns 'Couldn't read packet: Connection reset by peer' not sure why this happens
-
jirib over 10 yearsAnd you have provided no debug output, neither from ssh/sftp client and sshd server. Ah... I can guest... homedir in /etc/passwd is /home/foobar and under /home there is no /home/home/foobar... Magic ball over. -
jirib over 10 yearsSee previous answer, there is all you need. And read man sshd_config!
-
Shenal Silva almost 8 yearsCan public key authentication be used for such a user ?
-
0xC0000022L almost 8 years@ShenalSilva: absolutely, yes.
-
0xC0000022L almost 8 years@JiriXichtkniha: although this can be countered by bind-mounting all that's needed into place. I am not 100% certain at which point
sshdwould read from thepasswddatabase and at what point it wouldchroot. However, it stands to reason that it would do thechrootcall only after all else is in place.
