I need to create a user which can only SFTP to specific directory and take a copy of some infomation. that is it. I keep looking online and they bring up information about chroot and modifying the the sshd_config. So far I can just <ul> <li>add the user "useradd sftpexport" </li> <li>create it without a home directory "-M" </li> <li>set its login location "-d /u02/export/cdrs" (Where the information is stored)</li> <li>not allow it to use ssh "-s /bin/false"</li> </ul> <blockquote> useradd sftpexport -M -d /u02/export/cdrs -s /bin/false </blockquote> Can anyone suggest what am meant to edit so the user can only login and copy the file off?

I prefer to create a user group <code>sftp</code> and restrict users in that group to their home directory. First, edit your <code>/etc/ssh/sshd_config</code> file and add this at the bottom. <pre class="prettyprint"><code>Match Group sftp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no </code></pre> This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which <code>%h</code> represents in the ChrootDirectory command) Add a new sftp group, add your user to the group, restrict him from ssh access and define his home directory. <pre class="prettyprint"><code>groupadd sftp usermod username -g sftp usermod username -s /bin/false usermod username -d /home/username </code></pre> Restart ssh: <pre class="prettyprint"><code>sudo service ssh restart </code></pre> If you are still experiencing problems, check that the directory permissions are correct on the home directory. Adjust the 755 value appropriately for your setup. <pre class="prettyprint"><code>sudo chmod 755 /home/username </code></pre> EDIT: Based on the details of your question, it looks like you are just missing the sshd_config portion. In your case, substitute <code>sftp</code> with <code>sftpexport</code>. Also be sure that the file permissions are accessible on the <code>/u02/export/cdrs</code> directory. An even better setup (and there are even better setups than what I am about to propose) is to symlink the <code>/u02/export/cdrs</code> directory to the user home directory.

You could need to add a restricted shell for this user can put some files there. You can use rssh tool for that. <pre class="prettyprint"><code>usermod -s /usr/bin/rssh sftpexport </code></pre> Enable allowed protocols in config <code>/etc/rssh.conf</code>.

Create a SFTP user to access only one directory. [closed]

Tags:

linux

shell

ssh

sftp

sshd

I need to create a user which can only SFTP to specific directory and take a copy of some infomation. that is it. I keep looking online and they bring up information about chroot and modifying the the sshd_config.

So far I can just

add the user "useradd sftpexport"
create it without a home directory "-M"
set its login location "-d /u02/export/cdrs" (Where the information is stored)
not allow it to use ssh "-s /bin/false"

useradd sftpexport -M -d /u02/export/cdrs -s /bin/false

Can anyone suggest what am meant to edit so the user can only login and copy the file off?

480

asked Apr 16 '14 04:04

Alec George Doran-Twyford

2 Answers

I prefer to create a user group sftp and restrict users in that group to their home directory.

First, edit your /etc/ssh/sshd_config file and add this at the bottom.

Match Group sftp     ChrootDirectory %h     ForceCommand internal-sftp     AllowTcpForwarding no

This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command)

Add a new sftp group, add your user to the group, restrict him from ssh access and define his home directory.

groupadd sftp usermod username -g sftp usermod username -s /bin/false usermod username -d /home/username

Restart ssh:

sudo service ssh restart

If you are still experiencing problems, check that the directory permissions are correct on the home directory. Adjust the 755 value appropriately for your setup.

sudo chmod 755 /home/username

EDIT: Based on the details of your question, it looks like you are just missing the sshd_config portion. In your case, substitute sftp with sftpexport. Also be sure that the file permissions are accessible on the /u02/export/cdrs directory.

An even better setup (and there are even better setups than what I am about to propose) is to symlink the /u02/export/cdrs directory to the user home directory.

163

answered Oct 04 '22 21:10

csi

You could need to add a restricted shell for this user can put some files there. You can use rssh tool for that.

usermod -s /usr/bin/rssh sftpexport

Enable allowed protocols in config /etc/rssh.conf.

answered Oct 04 '22 19:10

user3132194

Related questions
                            
                                Why does g++ look in LIBRARY_PATH/../lib64 and where is this documented?
                            
                                Docker: Combine multiple images
                            
                                How to create web based terminal using xterm.js to ssh into a system on local network
                            
                                Differences between arm "versions?" (ARMv7 only)
                            
                                WaitForSingleObject and WaitForMultipleObjects equivalent in Linux?
                            
                                Could you recommend some guides about Epoll on Linux [closed]
                            
                                Prevent git from popping up gnome password box
                            
                                How use Qt in Visual Studio Code?
                            
                                running time of two programs run separately and then together
                            
                                Forcing a spurious-wake up in Java
                            
                                Possible values for `uname -m`
                            
                                Does 3>&1 imply 4>&3 5>&3 etc.?
                            
                                How can I add a custom footer to Sphinx documentation? (reStructuredText)
                            
                                Lynx with javascript
                            
                                How to set a global nofile limit to avoid "many open files" error?
                            
                                How to automatically pipe to less if the result is more than a page on my shell?
                            
                                How to let bash subshell to inherit parent's set options?
                            
                                What is PATH on a Mac (UNIX) system?
                            
                                "Unexplainable" core dump
                            
                                What should a Java program listen for, to be a good Linux service?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With