In this post, I'll show you how to set up secure ftp (SFTP) access to your Ubuntu server. (Instructions for Debian are very similar: leave out the sudo part and follow these steps as root:)
For this to work, you'll need Ubuntu 8.10 "Intrepid", Debian 5.0 "Lenny" or newer. In this example, mark is the user that can gain superuser rights through sudo. "peter" and a few other users are the ones I want to give sftp access to their personal folder, but not shell access or anything else.
Step 1: If it doesn't exist yet, create a group for the users you want to have sftp access only:
mark@neuskeutel:~$ sudo groupadd sftponly
Step 2: Add user "peter" to this group:
mark@neuskeutel:~$ sudo adduser peter sftponly
Step 3: Install openssh-server if it's not installed yet.
mark@neuskeutel:~$ sudo apt-get install openssh-server
Step 4: Open the default OpenSSH server configuration for editing:
mark@neuskeutel:~$ sudo nano /etc/ssh/sshd_config
Step 5: Change the default sftp server from:
Subsystem sftp /usr/lib/openssh/sftp-server
to
Subsystem sftp internal-sftp
Step 6: Some users can only use sftp, but not other OpenSSH features like remote login. Let's create a rule for that group of users (we'll create the group afterwards). Add the following section to the bottom of /etc/ssh/sshd_config:
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Step 7: Pass ownership of peter's directory you want to be sftp accessible to the superuser:
mark@neuskeutel:~$ sudo chown root.root /home/peter
Step 8: Now we change peter's home directory (normally /home/peter) to /:
sudo usermod -d / peter
Step 9: Repeat steps 2, 7 and 8 for any other users that you want to give sftp access.
Did you find this tutorial helpful? Any problems when trying to follow it? Suggestions? Please comment and I'll try to follow up!
Subscribe to:
Post Comments (Atom)
47 comments:
Step 2 is incorrect.
Wannes, I fixed the typo in the description for step 2. Thank you for noticing and reporting it!
i rely on rssh (restricted shell for scp/sftp, also available via "universe"-repo in ubuntu). once installed, changing the user's shell to rssh suffices to restrict that user to scp/sftp as well.
I looked into rssh too. My reasons for going with just OpenSSH, not rssh are twofold:
1) As far as I know, rssh can't control port forwarding.
2) Rssh is yet another package. I'd rather throw less and very well audited code at security.
What is the point of step 8?
Ryan,
Why Step 8?
After the call to chroot(), sshd changes directory to the home directory relative to the new root directory.
Oh, right. Thanks for the clarification.
I've tried this on Hardy but get:
"Directive `ChrootDirectory' is not allowed within a Match block" and sshd failst o start. Do you know how to avoid this (if possible without changing the OpenSSH version or stuff like that)?
Ah, I see version 5.0 of OpenSSH is required. Too bad.
If anyone wants it, I have backported the OpenSSH version from Intrepid for Hardy in my PPA: https://launchpad.net/~rainct/+archive
[DISCLAIMER: All files there come with NO support from Canonical nor Ubuntu, and only limited maintenance from me. Use them at your own responsibility.]
when using filezilla to connect I can still browse and navigate the system, I would like to locked this to only their home directory. Allowing for them to see files, download and upload files only.
Sorry I forgot to restart ssh.
sudo /etc/init.d/ssh restart
I did get an error on ubuntu 8.10 that said TcpForwarding was not allowed and once removed it worked fine.
Why if I skip step 7 the user cannot login? It seems the only way to allow the user to upload is to create a subdirectory as root then chown it to the user. Is there a better way?
Also for step 7, wouldn't "chown root:root /home/peter" be better? Or does it even matter?
BTW, thanks very much for the directions, this is just what I was looking for.
Thx Marc, exactly what I needed.
:)
After i first read some howto involving rssh i discovered your howto.
worked perfectly!
i just made a slight change
ChrootDirectory ~
this prevented me from resetting permissions and stuff so i could just use whatever homedir i want.
or is there a reason for doing it the way you described?
I think the reason / is used as the ChrootDirectory, is because the home directory for the sftp user and all previous directories in the hierarchy must be owned by root, and only writeable by root. For instance if you want the user to be chrooted to /var/upload, you have to make sure /var/upload, /var and / are owned by root, and only writeable by root (chmod 755). Once the user logs in, since their home directory is owned by root they will not be able to upload files/create directories. Create a folder structure for them, chown the folder(s) to the sftp user, and they can then upload files.
Source: http://www.minstrel.org.uk/papers/sftp/builtin/
any reason why enabling write access with:
chmod 775 /home/(username)
chown root.sftponly /home/(username)
is bad?
(Just installed it for apache2 uploads. Seems to work.)
Am I supposed to create a new account to replace 'peter' or use an existing one. I really don't like the idea of shifting my entire home directory around!
This doesn't work with public key auth, because sshd requires the .ssh/authorized_keys file to be owned by the user logging in. Thus you can only let 1 user in. Is there a workaround for this?
I think I got it, it's not pretty but it should work:
1) Uncomment this line:
#AuthorizedKeysFile %h/.ssh/authorized_keys
And change it to:
AuthorizedKeysFile /home/%u/.ssh/authorized_keys
2) Create a 'jail' directory in each users chroot directory, e.g.
mkdir /home/henk/jail
3) Change ChrootDirectory /home/%u to
ChrootDirectory /home/%u/jail
4) Create a '.ssh' directory besides the jail directory for each user that uses public key auth
5) Place the authorized_keys file in the home directories and change ownership to that given user, e.g.:
chown henk:henk /home/henk/.ssh/authorized_keys
6) If the file doesn't have the right permissions already, change it now:
chmod 600 /home/henk/.ssh/authorized_keys
Also, if you want to provide access to a certain directory ( inside the 'jail' directory), e.g. /var/www/henk.nl, try this:
chown henk:henk /var/www/henk.nl #(to permit access if not already so)
mkdir /home/henk/jail/henk.nl
mount -o bind,nodev,nosuid,noexec /var/www/henk.nl /home/henk/jail/henk.nl
Before the mount, the mount target should be owned by root. After the mount, that directory will be owned by whoever owns the other directory, in fact everything will be exactly the same. This also adds security because /var is probably not mounted with nodev,nosuid,noexec.
I want to change the home directory for all users to /Public just as a test. However after following these steps to change the home directory for user "peter" to / I am unable to use usermod -d to change the directory that I start in when I use a client such as WinSCP to my user. Instead, I always directly start at "/"
How do I fix this?
This is a great article. For a little clarification on what happens in which order, I found this was also helpful:
http://binblog.info/2008/04/06/openssh-chrooted-sftp-eg-for-webhosting/
I need multiple users to access the same directory (as per previous comment) using keys. To do this, I create each user with adduser and set them in the sftponly group with addgroup. I then create a shared jail as /var/sftp, and ensured root.root owned it with 755 perms (chown and chmod)- all the same as in the article.
Each user makes a private/public key-pair (e.g. with ssh-keygen) and give me the public key, which I add manually add to their pre-chroot /home/username/.ssh/authorized_keys (which must be owned by and writable only by that user).
Since authentication happens *before* the chroot, each user's /home/username/.ssh/authorized_keys is used. But since the user's home directory is evaluated *post* chroot, we've changed it to / (as per article), and so the default sshd AuthorizedKeysFile of $HOME/.ssh/authorized_keys no longer works, and must be changed to explicitly depend upon the user name.
The final /etc/ssh/sshd_config file looks like this (don't forget to restart ssh!):
AuthorizedKeysFile /home/%u/.ssh/authorized_keys
## directions from
## http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html
Match group sftponly
ChrootDirectory /var/sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
After that steps users from sftponly are able to navigate between all directories on my server. How to disable it?
Hi, I followed these to the letter and the user directories are not writeable. How do I allow users to upload files?
thanks
I would also like to know how to safely enable read/write access without introducing other issues.
I'm too want to know
You can let users upload files by creating a new directory in the jail and set the owner of the directory to the user.
Didnt work for me. login in with sftp://localhost refuses user
Both SSH and FTP are running and user and usergroup are active
thank you very much. great post. worked like a charm for my ubuntu 10 in MS virtual PC
Hey! thanks for the great tutorial!
However I had problems to get it running, until I found out that you actually need to close the Match clause. Otherwise in my case no sftp connections were possible. So a corrected sshd.conf should look like this:
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match
hope this helps!
I keep getting the error "fatal: bad ownership or modes for chroot directory "/home/user"" in my /var/log/auth.log, after following the guide.
Both throught sftp and ssh access.
I have closed the Match as mentioned above.
Got it running. I had trailing / after my chroot and chmod commands.
working great in my end.. nice share and great tutorial :)
thanks, i has helped me surely
I have connected to remote server and it appears in my list of bookmarks and as a folder in the browser window while general working.
But when I want to attach some file to the email, from this remote server, I cannot find it in the list of places on the left side bar.
Also when downloading something, I am unable to save the it directly on the server, again because it does not appear in the places to save.
Could you tell how to make this remote server always accessible as a local disk both while uploading from it or downloading to it?
Thanks in advance
Well the internal-sftp setting worked but didnt chroot anything so it made it useless.
Here is how to make a chrooted sftp only account with a compiled version of scponly on ubuntu 10.04
http://pastebin.com/ya0WHe8D
I followed your guide, and now server is not connecting with the root user. I think you somehow blocked the SSH for all users.
Please fix this.
Saw trax really are a good panel saw I did used very heavily and it’s much better than if I’m going to compared to another one saw, its has good power and well accuracy, and I’m surely suggest for those who want to purchase best panel saw in this segment Highly Recommended. Panel Saw
Great product. Great customer service. You should be putting every other printing company out of business.You are top of my list for printing. Excellent service, excellent personnel High quality work,Highly recommended for everyone in the business.
Ameri Technology
A definite 5 Star Company. This is the second time I have used zap cleaning. They did an excellent job cleaning my house, sidewalk, driveway and deck around the
pool. Everything looks brand new. Thank you for a job well done! I will use your company in the future.Awsome job at a great price too. Very happy.Zap Cleaning
Honest, professional and excellent customer service Great service and great technicians! We had American Electric technicains and they install a whole house generator and a new electrical panel.The technicians were on time We would definitely recommend them again! American Electric
American Electric Jacksonville - Would highly recommend. Prompt service, on time arrival, professional and courteous staff, reasonable prices! They were accommodating, clean, and easy to work with. I would highly recommend.
American Electric Jacksonville
If you are wondering about which airline to choose to book your next flight, you don’t need to look further than Delta Airlines. We have always maintained our position in the top spot of the best airlines in the US. We are known for our on-time arrivals, world-class in-flight service, and spectacular customer experience both on the ground and in the air. Our rate of cancellation of flights is also fairly less in comparison to many other flights.
It is the number one choice of passengers because Delta Airlines' plane ticket prices are low in comparison to other flights. Call on our toll-free number ……. to make your flight reservations at the earliest. To know more, visit the Delta Airlines Website.
Allegiant Airlines Reservations Phone Number Adventurers can discover data about their flight status, nearby sweepstakes methods, refund structure, etc. with the help of bookings from loyal airlines. Customers can call Allegiant's airline reservations 24 × 7 phone number to save their location, scheduled flights, and use their benefits to serve customers in a similar way.
Allegiant Airlines Reservations Phone Number Allegiant Airlines reservations If you want to take advantage of booking discounts and get the cheapest airfare, Allegiant Booking is your preferred partner to make your travel experience affordable and memorable.
Turkish Airlines Reservations Phone Number Turkish Airlines flights and our assistance service. 1- (844) 604-0568 you Call us, our airline number and we help you with your ideal plan for all major destinations within your budget and within your time. Turkish Airlines covers almost all major destinations, including domestic flights and all routes.
Lufthansa Airlines Reservations Phone Number Through the steps above, cheap Lufthansa flights can be easily booked to multiple destinations; If you are unable to book flights, call 1- (844) 604-0568 to contact Lufthansa's customer service team and seek solutions for your needs. Help questions and doubts.
KLM Airlines Reservations Phone Number Booking air tickets just got easier and you can book air tickets without wasting time. If you want to take a KLM flight, you need to visit the airline's website before booking a seat. In addition, to make it clear to you, this is a step-by-step process and you can make a reservation using the KLM airline reservation number.
Hawaiian Airlines Reservations Phone Number Hawaiian Airlines Book and enjoy your trip. They offer multiple modes to book Hawaiian Airlines tickets, such as online, offline, at the airport counter, and mobile apps. Instead of waiting in long lines, make your time valuable and work with your family. It offers several ways to book unforgettable excursions. Book Hawaiian Airlines to get the best price and earn miles on your next trip.
Jetblue Airlines Reservations Phone Number JetBlue Airways (JetBlue Airways) The airline operates in more than 100 destinations and is known for providing affordable, high-quality services to passengers every day. You can book trips booked through JetBlue Airways on the official website, or you can book flights. Travel expenses can provide huge discounts on air ticket bookings, and even at the last minute, they can also help you get huge discounts on air ticket bookings.
united airlines reservations number
spirit airlines reservations number
spirit airlines reservations number
Your post is really different from last posts and its perfect for my writing help as well.I really appreciate your efforts. Thank you for sharing this.
Visit us for newspaper pencil.
Post a Comment