Thursday, 14 January 2016

Create a user with only access to SFTP and not to SSH (Shell Executions)

STEP 1:-
Create a Group, which restricts users created under that group are not to move out of their Home Directory. This one we have to do it in sshd_config file.

This example is with SSH and VSFTPD modules. make sure those are installed in your linux box.

SSHD_CONFIG location would be in /etc/ssh/sshd_config

Enable / Add below line in  sshd_config file.
Subsystem sftp internal-sftp

# This section must be placed at the very end of sshd_config
Match Group sftpaccessonly
    ChrootDirectory /home/%u
    ForceCommand internal-sftp
    AllowTcpForwarding no

STEP2:
Create a Group with the name "sftpaccessonly"
$ groupadd sftpaccessonly

STEP3:
Go to HOME directory
$ cd /home

Create a User in home directory

$ adduser <your_user_name>

It prompts you a screen to enter password of the user along with other details like their Full Name, Room Number etc.
Enter all details and Confirm that those details are correct.
Now user got created.

STEP4:
Add user to the Group "sftpaccessonly"
$ usermod <your_user_name> -g sftpaccessonly

STEP5:
Restrict that specific user to execute any shell commands. To deny SSH shell access, run the following command:
$ usermod <your_user_name> -s /bin/false

STEP 6:
It is very important that root user is having full access on newly created user account.
$ sudo chown root /home/<your_user_name>

STEP 7:
Add write permissions to the directory <your_user_name> and all its contents for user and deny write access for everybody else.
$ sudo chmod go-w /home/<your_user_name>

OTHER STEPS:
create a directory / directories where user wants to have access to them.
sudo mkdir /home/<your_user_name>/<your_directory_name>

Give Permissions to the user with the specified group
sudo chown <your_user_name>:sftpaccessonly /home/<your_user_name>/<your_directory_name>

Give writable permissions.
sudo chmod ug+rwX /home/<your_user_name>/<your_directory_name>

Final STEPS:
Restart SSH
$ service ssh restart

Restart vsftpd
$ service vsftpd restart

Now you can login with the created credentials using SFTP. user can only access to their home directory specific folders which you have provided permissions.

Same users you can not login through SSH.









No comments:

Post a Comment

Thank you so much for providing your valuable feedback. I will will look into them and update my skills & technologies accordingly.