Thursday, November 11, 2010

SFTP access only with OpenSSH

SFTP or secure FTP is preferred over plain FTP. If you just need to configure some users that have SFTP access only and you can live with a directory per user then you can use the method described below.

Nowadays most of the out-of-the-box pre-installed openssh versions will be greater than 4.9. For those setting up SFTP access is easy I have tested the below in Ubuntu 9.04 (Jaunty) with OOpenSSH_5.6p1, OpenSSL 0.9.8g.

The information below is the result of some research I have performed visiting a dozen of websites and trying things like RSSH and scponly. I found this to be the quickest and simple way to get SFTP working.
  1. Find out you are running version > 4.9
    $ ssh -v
  2. Create sftponly group
  3. $ groupadd sftponly
  4. Configure SFTP-access-only for group sftponly. Note I have commented out the ForceCommand line. In my Ubuntu with that line the server will authenticate the user but the user will get a "Connection closed" message right away.
    $ vi /etc/ssh/sshd_config
    #Subsystem sftp /usr/lib/openssh/sftp-server
    Subsystem sftp internal-sftp
    #The below must terminate the file
    Match Group sftponly
        ChrootDirectory %h
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp
  5. Add a user for example "report". The home directory should be /home/ and the shell must be set to a false shell.
    $ useradd -d /home/report -s /bin/false -m report
  6. Alternatively modify an existing user
    $ usermod -d /home/report -s /bin/false report
  7. Assign user to group
    $ usermod -g sftponly report
  8. Assign a password to the user
    $ passwd report
  9. Modify ownership and permissions to the home directory
    $ chown root:root /home/report
    $ chmod 755 /home/report
  10. Create a folder and assign permissions for the user. Within this folder the user will be able to add/remove folders and files. Of course permissions can vary depending on what you want to achieve.
    $ mkdir /home/report/reports
    $ chown report:report /home/report/reports
    $ chmod 755 /home/report/reports
  11. New users. Just repeat steps 4-9.

If you liked this then it is time for you to check how to simplify sftp user creation.

Some useful resources

No comments: