Hi all! Posting this because I wish someone has done the same when I struggled with this seemingly simple task.
Hope this helps someone.
TASK
- Let’s say we are in need to have a sftp access to our server for a certain user.
- Let’s also say we need the user we are giving access to to be limited to his/her folder without any way of browsing the system, let alone modify and or execute anywhere besides the user’s folder.
Let’s also assume that the folder we are creating for the user is not simply /home/user, but like in my case is located on a separate volume in a far away folder. All the tutorials on internet I’ve found were using /home/user as the user’s folder. And it took my dumb ass several hours to figure out why my user WOULDN’T get access to the folder I needed him to - that is because NO ONE mentioned that the chain of ownership and permissions needed for chrooting an sftp user has to start ALL THE WAY from the /
- I also needed this user to have the least amount of folders to click on before he/she could be able to upload/download. At the same time, from my side, I needed a uniform way to create folders so that I’d know where to upload the content (also I already had a huge FTP (before I made it into a sftp connected system) archive from a previous install, that I was reluctant to completely scratch and start over. To make my life easier I simply added ONE folder to each existing user folders with the same name to respect the permission/ownership necessity for chrooting sftp users. Surely I had to move all the existing content to the new additional folder, but since I used MOVE command instead of COPY - it was very fast despite the amount of files and folders inside each user's "homes".
If you are like me - this is the answer:
- we have a user john
- he needs to be allowed via sftp and chrooted to a folder that is locally /mnt/sdb1/POK/FTP/john/john/
<--- there is a reason there are 2 "john" folders - read on
SOLUTION
1. Create a user:1.sudo useradd john
2. sudo passwd john
3. sudo usermod -d /home/john john (home directory)
2. Create a folder for future ftp access:1. In case of a long chain of folders, create a double folder name at the end of the chain: /mnt/sdb1/POK/FTP/john/john/useable_folder (read/write is the last one in the chain)
2. Make sure that every single folder in the chain EXCEPT /useable_folder are set the following way:
1. owned by root (sudo chown root:root /mnt, sudo chown root:root /mnt/sbd and so on all the way to the /mnt/sdb1/POK/FTP/john/john)
2. set permissions to all of the above folders to 0755 (sudo chmod 0755 /mnt)
3. set /useable_folder to be owned by john (sudo chown john:john /mnt/sdb1/POK/FTP/john/john/useable_folder)
4. set /useable folder permissions to 0777 (sudo chmod 0777 -R /mnt/sdb1/POK/FTP/john/john/useable_folder)
- or whatever other permissions you want - that will be the folder your user can manipulate in.
3. open /etc/ssh/sshd.config in nano :1. Do this modification (uncomment the second line) :
Code:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
2. Add the following lines to the end of file:
Code:
Match user john
ChrootDirectory /mnt/sdb1/POK/FTP/john/john/
ForceCommand internal-sftp
AllowTcpForwarding no
4. Save the file and exit and restart sshd (sudo systemctl restart sshd)
5. Optional: you can set what kind of access your sftp user has to the server. Initially, it is /bin/bash or /bin/sh which allows for the user to ssh to the server with his credentials. For security reasons if you need to limit this user ONLY to sftp connections without an option for a ssh login, add this to /etc/passwd file instead of /bin/bash or /bin/sh at the end of the line with users credentials:
/usr/libexec/openssh/sftp-server
Don’t forget to restart the sshd after this.
If you get any errors on login through FileZilla - first make sure it is connecting via sftp (you can set it in the preferences, or you can type full address in the address field —> sftp://10.20.30.40) , next thing to check is the correct owner and permission on the entire chain of folders from / to the /useable_folder. I’ve had to double check it a few times, because some of the attributes wouldn’t stick.
Adv Reply
Bookmarks