ssh access

I have a customer that needs SSH access to the server but I would like to know if there is a way for Centos v6.4 to have some sort of restriction.
for example if the path is /home/user1/ I need something so that the users stays there and not able to search through /home or /bin etc..
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gt2847cSr. Security ConsultantCommented:
For shell accounts it would depend on how draconian you want to be with it and what you are attempting to accomplish.  On the less complex end, setting proper file/directory permissions will restrict what the user can do and see, but it may not accomplish everything you're looking for.  Alternatively, you can create a "chroot jail" (change root) that the OS will change the root directory for that user such that their home directory becomes / and they can't go anywhere else.  The problem with doing it this way is that you now have to provide a copy of everything they need to function.  They will have to have certain /dev/ devices created, libraries et. al. A word of caution, setting up the chroot jail for a full shell account can be a real pain unless you know all the pieces parts you have to provide to let them accomplish their goal.

Here is an article on the starting point for a chroot jail for SSH
XK8ERAuthor Commented:
>chroot jail

sounds like the way to go because the only reason why I need them to login to the server through SSH is because the user is going to be uploading files to the user's own website and nothing else.. we do not offer FTP so just (ssh login) through WinSCP I think is good.. so what setup do you recommend?
gt2847cSr. Security ConsultantCommented:
If you simply want to allow SFTP for file uploads, that article I linked in above also describes how to set that up.  It will only allow SFTP access to those users added to the SFTP group (or whatever you decide to name the group).
XK8ERAuthor Commented:
yeah, I read it but im a bit confused as to what exactly I should do for my case.
gt2847cSr. Security ConsultantCommented:
If you want to be able to allow the user to only SFTP files into a directory and nothing else, do the following on your system:

Add the user.
Add a group "sftp" or whatever name you choose, just modify the following based on the name you select:

Edit the /etc/ssh/sshd_config file (you may want to copy the current config to another file in case you have a problem with your edits)

If you see the line (directory may vary):
Subsystem sftp /usr/lib/ssh/sftp-server 

Open in new window

Comment that out by adding a # to the beginning of that line.

Go to the bottom of the file and add the following:
Subsystem sftp internal-sftp
	Match Group sftp
	ChrootDirectory %h
	ForceCommand internal-sftp
	AllowTcpForwarding no

Open in new window

While logged in to a ssh session (in case of typos or other issues), restart the SSH daemon (/etc/init.d/sshd restart, service sshd restart, rcsshd restart, whatever works for yours).  Check your log to make sure that sshd restarted properly and didn't error out.  If it does, you will not be able to start a new session, but your current session will work until disconnected, so you should be able to fix it by undoing whatever you changed and restarting sshd again.  A "netstat -tl" will show you what's listening, and you'll want to see:
tcp        0      0 *:ssh                   *:*                     LISTEN  

Open in new window

in the list which means that SSH is running properly.

Next change the configuration of the user's login:
usermod -G sftp username
usermod -s /bin/false username
chown root:root /home/username
chmod 0755 /home/username
mkdir /home/username/uploads
chown username /home/username/uploads

Open in new window

"usermod -G"  adds the "username" to the "sftp" group
"usermod -s" changes the login shell to "/bin/false" which will prevent an interactive login
"chown root:root" changes the ownership of /home/username to root (required to make this work).  If you don't change ownership, you'll get a message in your syslog like:sshd[xxxx]: fatal: chroot into directory without nodev or nosuid
"chmod 0755" modifies permissions on the directory to allow root read/write/execute and group/other read execute.
"mkdir" to create a directory that the user can drop their files into
"chown" to give them ownership of that directory

Once you've done all that, you should be able to test the login.  SSHD will chroot the home directory for that user and from the client perspective, they'll see / as the home directory.  They will be able to change directory in to "uploads" (or whatever you name it) and add/delete/rename files there.  They won't be able to go any higher in the directory tree as chroot eliminates that possibility.  Any files that Centos creates in the home directory as part of the user creation process will be writable and owned by the user, but they will not be able to create any new files there.  You may wish to remove some of all of those files, but that's up to you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.