Also the directory group and owner need to be root which it should by default if you use the command. Now make sure the directory you assigned to ChrootDirectory actually exists and if it does not then create it. Output of sudo nano /etc/ssh/sshd_config. Once finished use the key combination Ctrl O to save and then Ctrl X exit. Otherwise sftponly will have access to your server root which you do not want. The ChrootDirectory setting will confine all sftponly users to this directory. After UsePAM Yes add the following lines to configure our sftponly group permissions and settings. Now go to the end of the document, the key combination Alt / should take you there or you could simply use the Page Down key. Needs to be replaced with Subsystem sftp internal-sftp The line Subsystem sftp /usr/lib/openssh/sftp-server sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
We now backup and edit the SSH Daemon configuration file. The passwd command sets an encrypted user password.Īdd a user of your choice, I will use ben_example.-o allows duplicate, non-unique user ids.-u is the user id, which in our case needs to be the same id value as sftponly.-N useradd by default creates a group with the same name as the new user, this disables that behaviour.-M stops the useradd command creating a home directory.-g is the user group id to assign which in our example needs to be assigned to sftponly.-d is the user home directory which needs to be set to / (root).We now add a new user that we will use exclusively for SFTP access. Take note of the group id, in this screenshot it is the value 1001. For sftponly there are currently no assigned users. You should see something like this.Įach line is an individual group, you can see the name, the password which is set to x which means none, the numeric group id and users who are associated with the group. cat /etc/groupĬat allows you to quickly display a text file while /etc/group is the file that defines the groups on the server. Run the following to display your new group.
For security I think it is best practice not to allow accounts with SFTP access additional admission to the server using secure shell (SSH) remote log in. We then create a user group for SFTP access, I will be calling it sftponly. First make sure your repository is up to date.
0 kommentar(er)
