Hello
I'm so sorry to cite from a website but when I tried to send the link of
the site I got a bounce error from lists.debian... so here is the site:
/This came up today where I needed to give secure file transfer to
customers. To complicate things I had to use an out-of-the-box RHEL6
system. The obvious answer was to use SSH and limit those users to SFTP
only. Locking them into a chroot was not a requirement, but it seemed
like a good idea to me. I found plenty of docs that got 80% of the way,
or took a shortcut, but this should be complete./
//
/The basic steps are:/
//
1. /Create a group and the users to that group/
2. /Modify the SSH daemon configuration to limit a group to sftp only/
3. /Setup file system permissions/
4. /Configure SELinux/
5. /Test (of course)/
//
/Without further ado, lets get started. It should only take about 10
minutes, nothing here is especially complex./
//
/Create a group that is limited to SFTP only and a user to be in that
group./
//
/1//
//2//
//3//
/
/|groupadd sftponly
useradd sftptest
usermod -aG sftponly sftptest|/
//
/Now you need to make a little change to //|/etc/ssh/sshd_config|//.
There will be a Subsystem line for |sftp| which you need to change to read:/
//
/1//
/
/|Subsystem sftp internal-sftp|/
//
/Now you need to create a block at the end to limit members of a group
(ie the sftponly group you created above) and chroot them. Simply add
the following to the end of the file:/
//
/1//
//2//
//3//
//4//
//5//
/
/|Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no|/
//
/These changes will require a reload of the SSH daemon: //|service sshd
reload|/
//
/Now you need to make some file permission changes. For some reason
which I cannot work out for now, the home directory must be owned by
root and have the permissions 755. So we will also need to make a folder
in the home directory to upload to and make that owned by the user./
//
/1//
//2//
//3//
//4//
/
/|sudo -u sftptest mkdir -pv /home/sftptest/upload
chown root. /home/sftptest
chmod 755 /home/sftptest
chgrp -R sftponly /home/sftptest|/
//
/The last thing we need to do is tell SELinux that we want to upload
files via SFTP to a chroot as it is read-only by default. Of course you
are running SELinux in enforcing mode aren't you :)/
//
/1//
/
/|setsebool -P ssh_chroot_rw_homedirs on|/
//
/Now from another console you can sftp to your server/
//
/1//
/
/|sftp sftptest@<server>|/
//
/You should then be able to put a file in your upload folder. However if
you try to ssh to the server as the user sftptest it should tell you to
go away. Of course you should be able to ssh as your normal user with no
problem. Pro tip: make sure to leave a root terminal open just in case./
I'm sure it can be used on Debian as well.
Balint
On 04/01/14 15:30, emmanuel segura wrote:
Match User user01
ChrootDirectory /home
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Match User user02
ChrootDirectory /home
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
useradd -m user01 && useradd -m user02
chmod 300 /home/user02
restart sshd daemon
[root@nod01 ~]# sftp user02@localhost
user02@localhost's password:
Connected to localhost.
sftp> cd user02
sftp> ls
remote readdir("/user02"): Permission denied
sftp> mkdir hello
In few words, the user user02 can only write and user user01 can
write and read
2014/1/4 Chris Davies <ch...@roaima.co.uk <mailto:ch...@roaima.co.uk>>
Bob Goldberg <bobg.h...@gmail.com <mailto:bobg.h...@gmail.com>> wrote:
> trying to determine best solution for an SFTP server.
> vsftpd appears to be my current best choice
vsftpd is "Very Secure FTP Daemon". It does FTP well (cleartext
passwords
notwithstanding). It doesn't do SFTP (file transfer over ssh).
> users must be chroot'ed to /home/chroot/home/<username>.
> users belong to the chroot group.
> their home dir down, need all be group owned by chmgr.
> home dir down; should all be chmod 770(dir)/660(files). so
<user> and
> managers (chmgr group) all have rw access to files, and rwx
/dirs; with
> other having no rights at all.
> managers ideally chroot'ed to /home/chroot/home.
> they can access all <username> folders, and transfer files
in/out of
> each.
> they belong to the chmgr group.
Sounds exactly like a job for the Match directive within a standard
sshd_config (openssh-server).
Chris
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
<mailto:debian-user-requ...@lists.debian.org>
with a subject of "unsubscribe". Trouble? Contact
listmas...@lists.debian.org <mailto:listmas...@lists.debian.org>
Archive: http://lists.debian.org/ofhlpaxr2f....@news.roaima.co.uk
--
esta es mi vida e me la vivo hasta que dios quiera
