Linux system administrators frequently wish to give users the ability to upload files to remote servers. The most common way of doing so in a secure manner is to permit file transfers via SFTP, which uses SSH to provide encryption. By default, users are able to view the contents of the entire remote filesystem, which may not be desirable. This guide will help you configure OpenSSH to restrict users to their home directories. Please note that these instructions are not intended to support shell logins; any user accounts modified in accordance with this guide will have the ability to transfer files, but not the ability to log into a remote shell session.
Please note that these instructions will work on Ubuntu 9.04 and greater or Debian 5 and greater systems. Unfortunately, the version of SSH packaged with Ubuntu 8.04 is too old to support this configuration.
These instructions work with the Linode platform. If you don't have a Linode yet, sign up for a Linux VPS and get started today.
Edit your /etc/ssh/sshd_config file, making sure the following line is present. If your system's file has a line that begins with "Subsystem sftp" modify it to resemble the following:
File excerpt: /etc/ssh/sshd_config
Subsystem sftp internal-sftp
Continue to add the following block to the end of the file:
File excerpt: /etc/ssh/sshd_config
Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Restart OpenSSH as follows:
/etc/init.d/ssh restart
Create a group for the users who will only have SFTP access:
addgroup filetransfer
Next, you'll need to modify the user accounts that you wish to restrict to using only SFTP. Issue the following commands for each account, substituting the appropriate username. Please keep in mind that this will prevent these users from being able to log into a remote shell session. If you don't want to restrict your existing users, you may add new user accounts for file transfer purposes using the adduser command.
usermod -G filetransfer username chown root:root /home/username chmod 755 /home/username
After issuing these commands, the affected users won't be able to create files in their home directories as these directories will be owned by the root user. You'll want to create a set of directories for each user that they have full access to. Issue the following command for each user, changing the directories created to suit your needs:
cd /home/username mkdir docs public_html chown username:username *
Your users should now be able to log into their accounts via SFTP and transfer files to and from the directories located beneath their home directories, but they shouldn't be able to see the rest of the server's filesystem.
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This guide is licensed under a Creative Commons Attribution-No Derivative Works 3.0 United States License
.
Please feel free to redistribute unmodified copies of it as long as attribution is provided, preferably via a link to this page.
|
Submitted by Tim on Thursday, January 21 2010 at 20:30:50 GMT
Hi,
how can I get this working on Ubuntu 8.04? Apparently sshd version 4.7p1 does not support this. thx, Tim |
|
|
Submitted by jeremiah on Thursday, January 28 2010 at 20:59:26 GMT
@Tim
What error messages are you getting? |
|
Submitted by Phil Paradis on Thursday, January 28 2010 at 21:07:30 GMT
@Tim - Unfortunately, this will only work on Ubuntu 9.04 or newer installs. I'll add a note to this effect to the introductory paragraph; thanks for the heads up.
|
|
Submitted by Jason Wagner on Monday, February 8 2010 at 19:33:57 GMT
This is exactly what I needed. THANKS!! :D
|
|
Submitted by bjl on Wednesday, March 17 2010 at 23:24:54 GMT
Good stuff!
|
|
Submitted by Mike on Sunday, March 28 2010 at 10:25:45 GMT
I'm not sure why, but on Ubuntu 9.04 64-bit I found the following line did not jail the user to their home directory:
Code:
ChrootDirectory %h They would be able to see the full filesystem. I had to use the following line to achieve the desired effect: Code:
ChrootDirectory /home/%u |
|
Submitted by Wes Baker on Wednesday, March 31 2010 at 15:30:18 GMT
Can you set the ChrootDirectory to another directory, say something in /var/www? I attempted just changing the ChrootDirectory to the one I want to change to and doing a chown on that directory and I'm getting permission denied.
|
|
Submitted by Andrew on Thursday, April 15 2010 at 22:54:19 GMT
it works! woo-hoo!!
after doing the "Configure OpenSSH" part, what I did was map each user to a virtualhost, like so: Code:
# useradd -d /srv/www/[domain] [username] # passwd [username] # usermod -G filetransfer [username] # chown [username]:[username] /srv/www/[domain]/public_html |
Got a comment?