How to configure SFTP so it behaves like ftp chrooting user to his home directory?
Solution 1
In addition to Stephane's answer I'd like to point out that there is FTPS, too. FTPS is the classic FTP protocol over an SSL-secured connection. If you meant this you'd have to adjust your question of course, but it would be a completely different question then.
There are two variations of FTPS, one were the control channel is secured (credentials etc) and another where also the data channel is secured. However, as Stephane already pointed out, the protocols are different, including capabilities and commands.
Concerning your comment. You can configure in /etc/ssh/sshd_config
to allow based on certain criteria only a certain directory structure. Here's an example that will confine all members of the group sftponly
to the /home
folder. Adjust to your needs:
Match group sftponly
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
PasswordAuthentication no
As you can see it also sets other options. Strictly speaking for the functionality you ask you'd only need this:
Match group sftponly
ChrootDirectory /home
ForceCommand internal-sftp
But of course these options prevent users from (ab)using other SSH facilities.
Consult man sshd_config
for more details in particular on the Match
directive. You can also match per-user, per-host and per (remote) address.
Solution 2
vsftpd
is a FTP server implementing the FTP protocol. Some extensions for encryption are available for FTP, but they are completely different from SFTP which is a subsystem of SSH.
If you want to use sftp
, you need to configure a ssh
server and enable the sftp
subsystem (see the sshd_config
man page for details). It's also possible to configure sftp
with chroot
ed user areas.
Related videos on Youtube
Comments
-
Mangesh Jogade over 1 year
I have installed
vsftpd
utility on Fedora 10 to restrict users to their (chroot) home directories. It works fine when I useftp
prompt to connect. However it does not work when i connect usingsftp
.What changes are required in order to achieve same functionality with
sftp
?-
vonbrand about 11 yearsFedora 10 is very old, better update to current Fedora 18. If Fedora's short lifetime is a problem to you, check out CentOS <centos.org>, a Red Hat Enterrise clone.
-
Mangesh Jogade about 11 yearsActually this fedora is a testing server. I am trying to implement a POC over there.
-
-
Mangesh Jogade about 11 yearsCould you please provide any informative link describing procedure, that would really help?
-
Mangesh Jogade about 11 yearsMy requirement is that user should ONLY be able to log in through SFTP.So i need kind of restricted SFTP environment for those users.but again they should be able to create and get files from their home directories.
-
0xC0000022L about 11 years@Mangesh Jogade: added to my answer. But please fix your question. There is no such thing as SFTPD and I have no idea what you mean by "SFTP prompt". There is an
sftp
subsystem to thesshd
, that's all. -
Mangesh Jogade about 11 yearsi have changed sftpd to vsftpd in my question. and yes i am referring to sftp subsystem only
-
0xC0000022L about 11 years@Mangesh Jogade: so what is unclear about my answer? Any questions? It's of course possible that the version of OpenSSH that comes with Fedora 10 is too old, but you can always build a newer one, of course.
-
Mangesh Jogade about 11 yearsI tried doing modifications as per your suggestion, however when i write "ChrootDirectory /home" in ssd_config for any user, that user is not able to log in through sftp .server returns 'Couldn't read packet: Connection reset by peer' not sure why this happens
-
jirib over 10 yearsAnd you have provided no debug output, neither from ssh/sftp client and sshd server. Ah... I can guest... homedir in /etc/passwd is /home/foobar and under /home there is no /home/home/foobar... Magic ball over.
-
jirib over 10 yearsSee previous answer, there is all you need. And read man sshd_config!
-
Shenal Silva almost 8 yearsCan public key authentication be used for such a user ?
-
0xC0000022L almost 8 years@ShenalSilva: absolutely, yes.
-
0xC0000022L almost 8 years@JiriXichtkniha: although this can be countered by bind-mounting all that's needed into place. I am not 100% certain at which point
sshd
would read from thepasswd
database and at what point it wouldchroot
. However, it stands to reason that it would do thechroot
call only after all else is in place.