Create SFTP only user and allow access to already created directory
I want to create a user who can only sftp and cant ssh. There are lot of tutorials for creating sftp only users, Going through one of them article i am able to create a user who can sftp to the server, but all of the articles create a new folder and then allow access to it.
In my case i have already created folder (with lot of imp files in it) to which i want to allow access. There are commands in the article, I just want to make sure if the same command will work for existing directory ? What i am up to ?? 1) I followed this article http://techinternets.com/chrootjailv6#7 2) I have user ready (mark) who can access /home/jail/mark 3) Now i want to allow him access to /home/admin/domains/domain.com/public_html/access How can i do it ? (Note: I am not a server guy, I am programmer, and hardly know unix/linux commands. ) |
No one is there ???
|
By reading somewhere i ran this commnd
sudo usermod -d /home/admin/domains/domain.com/public_html/assets mark and then connected through sftp...whooooa he has got root access, i can see i can see directories like "bin,boot,srv,var,home", this is not what i wanted :( :( Please someone help me |
Forget the chroot tutorial you found above, everything you need is already provided by OpenSSH. It's built in. You can chroot SFTP users very easily by doing something like the following in sshd_config
Code:
Subsystem sftp internal-sftp You can read more about SFTP in the Wikibook and then hopefully the manual pages for sshd_config(5) and sshd(8) will be more clear. |
@Turbocapitalist : thnks for the reply, article link you send is really useful, i am going through it but, can you tell me what i did wrong in my above post ? why that newly created user got access to the root folder ?
what command i have to use if i want to edit users home directory ? |
Steps #1 - #6 should be unnecessary in a normal Linux distro. You'll get the packages you need directly from the repository instead. It's much easier to manage the system that way. Also with the standard packages, the standard tutorials and HowTos will apply.
Step #7 points to a non-standard location for the SFTP subsystem. If you copied it verbatim, it may not work. The example I pointed to uses the built-in SFTP subsystem. Steps #8 - #10 should be ok, but jail the user somewhere other than their home directory. |
When you say "Jail the user to some other home directory" what does it mean ? Sorry i am not linux user so i hardly know any concept (common technical words used in linux), Do you want me to make changes to the below line
Code:
mkdir /home/jail Code:
chown root:root /home/admin/domains/domain.com/public_html/assets |
The directory specified by sshd_config's ChrootDirectory has to be owned by root and writable by no one else. The sub-directories and files therein can be owned by your user. So I'd guess you mean something like this:
Code:
chown root:root /home/admin/domains/domain.com/ Code:
ChrootDirectory /home/admin/domains/domain.com/ About the concepts, chroot is a way of isolating part of the file system by pretending that the one part is the root (top-level) of the system. The 'jail' is a name for the part that is being isolated. The same concepts apply in the other systems like the BSDs and OS X. |
I will try these two command, But before that i want to ask one important question,
I have files in Code:
/public_html |
If you set up an SFTP only chrooted directory then
/home/admin/domains/domain.com/public_html will appear as /domain.com/public_html to the chrooted sftp user during the time they are using SFTP. To the other users, especially regular system users, it will appear as /home/admin/domains/domain.com/public_html So even if the directory is chrooted for certain SFTP users, you as administrator will still be able ot access it as a regular directory with all programs and "commands": /home/admin/domains/domain.com/public_html The contents inside that directory are not affected one way or another, just access to the directories is affected. |
@Turbocapitalist : Thanks for the help, I will give it a try.
|
All times are GMT -5. The time now is 10:18 PM. |