sFTP: Restrict SSH users
Posted: Thu Sep 07, 2017 2:28 am
This HowTo shows how to setup a Debian/Ubuntu based Linux server in a way that allows some users to have full SSH access, while others can only access their home folders by sFTP.
NOTE: The first steps (1-3) must only be executed once per system.
1) Create the group "ftpusers"
2) Add "sftp-server" binary as shell:
As root run:
3) Modify your sshd_config for chroot:
Add the following block to your /etc/ssh/sshd_config file:
4) Create a new user
...and add it to "ftpusers", and change its shell to "sftp-server".
Then set root as the owner of the USERNAME's home folder. This is required for chroot to work.
That should be it. 
Now you can serve sFTP accounts without worrying about users wandering around on your server...
Links:
NOTE: The first steps (1-3) must only be executed once per system.
1) Create the group "ftpusers"
Code: Select all
$ groupadd -r ftpusersAs root run:
Code: Select all
$ echo "/usr/lib/sftp-server" >> /etc/shellsAdd the following block to your /etc/ssh/sshd_config file:
Don't forget to restart your sshd for these changes to take effect:# Restrict FTP-only users:
Match Group ftpusers
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Code: Select all
$ service ssh restart...and add it to "ftpusers", and change its shell to "sftp-server".
Code: Select all
$ usermod -a -G ftpusers USERNAME
$ usermod -s /usr/lib/sftp-server USERNAMECode: Select all
$ chown root ~USERNAME
$ chmod 755 ~$USERNAME
Now you can serve sFTP accounts without worrying about users wandering around on your server...
Links:
