Provide sftp read/write access to folder and subfolders, restrict all else

10,626

If you want to restrict a user to SFTP, you can do it easily in the SSH daemon configuration file /etc/ssh/sshd_config. Put a Match block at the end of the file:

Match User bob
ForceCommand internal-sftp
ChrootDirectory /path/to/root
AllowTCPForwarding no
PermitTunnel no
X11Forwarding no

If the jail directory is the user's home directory as declared in /etc/passwd, you can use ChrootDirectory %h instead of specifying an explicit path. This syntax allows specifying a group of user accounts as SFTP-only — all users whose group as declared in the user database is sftponly will be restricted to SFTP:

Match Group sftponly
ForceCommand internal-sftp
ChrootDirectory %h
AllowTCPForwarding no
PermitTunnel no
X11Forwarding no
Share:
10,626

Related videos on Youtube

Passiday
Author by

Passiday

Updated on September 18, 2022

Comments

  • Passiday
    Passiday almost 2 years

    I need to provide user access to Ubuntu 14.04 Server, only limited to certain folder. To enjoy the ssh security and not to open up new service and ports (ie, ftp), I'd like to stick with sftp. However, just creating a user and enabling ssh access is too generous - the user then can log on via ssh and see whatever there is that is viewable by everybody.

    I need the user to find themselves in a specific directory after login, and, according to their privileges, read/write files, as well as create folders where permitted. No access to any file or directory above the user's "root" folder.

    What would be the suggested method to achieve this? Is there some very restricted shell type for this? I tried with

    $ usermod -s /bin/false <username>
    

    But that does not let the user to cd into subfolders of their base folder.

  • Passiday
    Passiday almost 10 years
    Is there any way to let the user access folders linked via symbolic link? My sftp users get "Couldn't canonicalize: No such file or directory" error when they try to cd into those.
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' almost 10 years
    @Passiday Make sure that the symbolic links don't go outside the chroot: they should be relative, and not using .. too many times (or absolute, but then they need to start from the root of the chroot, so they'll be invalid outside the chroot).
  • Passiday
    Passiday almost 10 years
    I see from here that if I want users to venture outside the jail, then I must mount that outside folder.