How to setup virtual users for sftp (sshd) with access to a specific sub directory?

16.04 permissions sftp pam sshd

5,789

ProFTPd allows you to create virtual FTP/SFTP users and map them to a real user's uid and gid.

5,789

Webdesigner

Updated on September 18, 2022

Comments

Webdesigner over 1 year
I try to setup virtual users for sftp with sshd and/or pam.

My folder structure looks like this:
```
/
|-- var
|   +-- www
|       +-- site1
|           +-- folder_1
|           +-- folder_2
|       +-- site2
|           +-- folder_1
|           +-- folder_2
```
Each site dose have a Linux user (e.g. site1, site2) with the same group (site1, site2) where the home directory is e.g. /var/www/site1. The umask is 0022 and all files and (sub)folders for e.g. site1 have UID=site1 anf GID=site1 and this should not be changed.

I was able to setup sshd so that each Linux user gets his home directory as sftp root folder is e.g. /var/www/site1 for user site1. The config in /etc/ssh/sshd_config looks something like this
(only last few lines, the rest is default configuration):
```
UsePAM yes
Subsystem sftp internal-sftp
Match User *,!root
    ChrootDirectory %h
    ForceCommand internal-sftp -u 0022
    AllowTcpForwarding no
```
Now I want to add a Virtual User (no new Linux user or group if not needed) where the sftp root folder is e.g. /var/www/site1/folder1 for a sftp user e.g. site1_folder1. This user should be a child of the user site1 and use the same UID and GID but only have access to his subdirectory.

How do I have to change my configuration, and where can I add Virtual User?

I need this on Ubuntu 16.04 LTS, LAMP Server
- Gregory about 6 years
  
  OpenSSH uses PAM (sshd_config file directive UsePAM) PAM. You just need to learn how to setup pam-libpsql with it - which should be an hour or so. So yes, you can have virtual users, but you will probably need to add UID/GUID field in your DB to every user. If what HellionWisp said was true, you could never setup LDAP or any external form of Authentication/Authorization. Take a look at /etc/pam.d/sshd - but I would not recommend messing up with it on a remote host, test it in local VM first! You can actually look for SSH ldap auth for hints!
Webdesigner over 6 years

But I neet the same UID and GUI ... I know this is posible some how... one Webprovider do it but I don't know how...
Bachsau over 5 years

SFTP ≠ FTPS !!! ProFTPd is an FTP server, that also supports FTPS, which is FTP over TLS. SFTP on the other hand is a method of transfering files over an SSH connection, that has nothing in common with traditional FTP.
dominz88 over 5 years

ProFTPd is an FTP server, but it also supports SFTP connections proftpd.org/docs/contrib/mod_sftp.html
Bachsau over 5 years

Sorry, I didn't know about that feature of ProFTPd, so I thought you just mixed this up. However, I will leave my comment anyway, so that other's might get the hint.