configuring sftp for users

cbock · Posted: Wed Jun 16, 2004 1:10 am Post subject: configuring sftp for users

maybe i'm not asking the right questions. but, it seems simple enough. i don't want to have an ftp server running. i'd like a limited number of people to have the ability to upload and download to a given folder. sounds like sftp via ssh. however, after an account is created, the new user can log in using an ftp client. they start at /home/theiraccount, but, they can then go back to / and just about anywhere else. am i missing something in the user permission

sak102010 · Tux's lil' helper Joined: 08 Jun 2003 Posts: 82

Your post is a little confusing. Let me see if I can help.

First, sftp is just a subsystem for ssh. It allows one the same permissions their regular shell account would have, but with the ability to upload and download files. A regular FTP client shouldn't be able to access your machine, unless it has sftp - or scp - client capabilities. It would have to first make an ssh connection, and then start an sftp subsystem request for the user.

If, on the other hand, you're running another, traditional FTP server on your system, then any FTP client application will be able to access the server.

If you're not running any other, traditional FTP server, then what you're experiencing with sftp is normal. What you can look into doing, however, is setting up a secure FTP daemon, such as VSFTP, or you can configure your ssh daemon on the server to do chroot jails for the users that log in. VSFTP's daemon comes with chroot capability, so it's a little easier to setup. Basically what you get is that when users log in, they can only mess around in their own directory, and no other.

Hope that helps.
_________________
Thanks,
Sak

splooge · l33t Joined: 30 Aug 2002 Posts: 636

ssh secures the connection, not the box itself.

creating a chroot 'jail' that a user can't leave is possible, but slightly difficult. Imagine: if a user isn't allowed to leave his home dir: how does he execute `/bin/ls` ?

The default file and directory permissions will prevent users from doing things they shouldn't.
_________________
http://get.a.clue.de

jftuga · Posted: Wed Jun 16, 2004 3:18 am Post subject:

I do not know if this is applicable for your situation or not. If you want to allow just scp and/or sftp access w/o giving ssh shell access, then you might want to look into a program called rssh at http://www.pizzashack.org/rssh/index.shtml

I use this and it works very well. It has chroot capability, but I do not use it myself. Their documentation talks about how to set up a chroot environment, including programs like ls.

-John

cbock · Posted: Wed Jun 16, 2004 6:44 am Post subject:

thanks for your thought out post sak. thanks also splooge and jftuga. i'll take another look at vsftp. it didn't seem like it was configurable enough. proftp seems to get enough complaints around here. so, i thought i could muck with sftp enough to get it to do what i wanted. i will, instead try to get vsftp working the way i want.

thanks again.

cbock · Posted: Thu Jun 17, 2004 3:59 pm Post subject:

update:

i've gone back to sftp. i decided that i could live with it the way it is. i did try to get scponly working. but, i ran into problems there too. so, sftp it is.

etrek · n00b Joined: 23 Jun 2002 Posts: 58

I had similar requirements and found this:

https://forums.gentoo.org/viewtopic.php?t=74302&highlight=creating+createing+chrooted+sftp+server+giving+shell

Hope this helps,

E.

cbock · Posted: Thu Jun 17, 2004 6:20 pm Post subject:

thanks etrek. i found that thread searching but didn't give it a try.

i just followed the directions and it does a nice enough job.