Linux | Starck Lin

How can chroot sftp-only SSH users into their homes?

Log — Tags: Linux, SFTP, SSH — Posted by Starck on June 8, 2014

Here is a guide for setting up SFTP users who’s access is restricted to their home directory.

/etc/ssh/sshd_config

# Enable sftp
Subsystem sftp internal-sftp

# This section must be placed at the very end of sshd_config
Match Group sftponly
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

1

2

3

4

5

6

7

8

# Enable sftp

Subsystem sftp internal-sftp

# This section must be placed at the very end of sshd_config

Match Group sftponly

ChrootDirectory %h

ForceCommand internal-sftp

AllowTcpForwarding no

# Create sftponly group
groupadd sftponly

# Add a user to sftponly group
usermod {username} -g sftponly
# Deny SSH shell access
usermod {username} -s /bin/false
# Set the user's home directory
usermod {username} -d {home_directory}
# Restart SSH service
service ssh restart

1

2

3

4

5

6

7

8

9

10

11

# Create sftponly group

groupadd sftponly

# Add a user to sftponly group

usermod {username} -g sftponly

# Deny SSH shell access

usermod {username} -s /bin/false

# Set the user's home directory

usermod {username} -d {home_directory}

# Restart SSH service

service ssh restart

Notes: (Important!)

If you got the login failed message:

Write failed: Broken pipe

Change the user and access permission:

chown root:sftponly /home
chown root:sftponly /home/{username}
chmod 755 /home
chmod 755 /home/{username}

1

2

3

4

chown root:sftponly /home

chown root:sftponly /home/{username}

chmod 755 /home

chmod 755 /home/{username}

Comments (0)

Using start-stop-daemon on CentOS

Log — Tags: CentOS, Linux — Posted by Starck on January 19, 2014

Download source

tar -xf dpkg_1.17.6.tar.xz
cd dpkg-1.17.6
# Ubuntu
# sudo apt-get install libncurses5-dev libncursesw5-dev
sudo yum install ncurses-devel ncurses
./configure
make
cd utils
make
cc start-stop-daemon.c -o start-stop-daemon
sudo cp start-stop-daemon /usr/local/bin

1

2

3

4

5

6

7

8

9

10

11

tar -xf dpkg_1.17.6.tar.xz

cd dpkg-1.17.6

# Ubuntu

# sudo apt-get install libncurses5-dev libncursesw5-dev

sudo yum install ncurses-devel ncurses

./configure

make

cd utils

make

cc start-stop-daemon.c -o start-stop-daemon

sudo cp start-stop-daemon /usr/local/bin

Done!

Comments (6)

How to recursively give directories or files access permissions?

Log — Tags: chmod, command, find, Linux — Posted by Starck on October 8, 2013

To recursively give directories read & execute privileges:

find /path/to/base/dir -type d -exec chmod 755 {} +

To recursively give files read privileges:

find /path/to/base/dir -type f -exec chmod 644 {} +

Or, if there are many objects to process:

chmod 755 $(find /path/to/base/dir -type d)

chmod 644 $(find /path/to/base/dir -type f)

Or, to reduce chmod spawning:

find /path/to/base/dir -type d -print0 | xargs -0 chmod 755

find /path/to/base/dir -type f -print0 | xargs -0 chmod 644

Comments (0)