I recently needed to set up an ftp server (or sftp server) that allows the user to transfer files. I had some restrictions:
- The account cannot have
sshaccess since I don’t want an unauthorized person to run jobs on the server.
- The account needs to be restricted to a single directory. I don’t want the account to have access to all files on the server.
I first followed this guide to get proftpd up with an account. However, I kept getting errors trying to log in using Nautilus or Filezilla. The error came from
PASV mode, which I think stems from a firewall/NAT issue. I next tried this to use vsftpd. Still no go (same error).
I decided to use sftp since I know for sure ssh works and that it’s more secure. Now that I think about it, none of my server has an ftp server running since sftp is more secure and Nautilus and Filezilla supports the sftp protocol.
From this post, I re-discovered rssh and the native support from recent versions of openssh. The “match user” method for openssh and the rssh method did not work for me. I finally stumbled on this post that made things work.
sudo apt-get install openssh ## this is already installed for me ## modify /etc/ssh/sshd_config # Use the following line to *replace* any existing 'Subsystem' line Subsystem sftp internal-sftp # These lines must appear at the *end* of sshd_config Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no ## in shell sudo groupadd sftponly sudo useradd newuser sudo passwd newuser ## set password sudo usermod -g sftponly -s /bin/false -d /home/newuser newuser sudo chown root:root /home/newuser cd /home/newuser sudo mkdir upload ## upload files in here sudo chown newuser:newuser upload sudo /etc/init.d/ssh restart
Now, ssh with the
newuser should not work, and sftp (via command line, nautilus, or filezilla) should only access one location.
/home/newuser is own by root, so
newuser can’t do much in there. Create a directory
upload, and make
newuser the owner.