Link to home
Create AccountLog in
Avatar of enthuguy
enthuguyFlag for Australia

asked on

restrict sftp user access

Hi Linux, Network, SFP experts,

could you please suggest, how to restrict a user sftp access

scenario:
Have a linux server
Created a local user "sftpuser" on the Amazon Linux server
Since we just wanted to allow sftp access to a particualar directory
Installed required sftp packages etc and mounted a NAS drive
Now, I can sftp to this host without any issues.

My request is
1. how can I restrict this user "sftpuser" to access only a particular directory (NAS mounted path) with readwrite access
2. Is it possible to give only a readonly access (not write) to a particular directory (NAS mounted path)
3. First time it asks for host confirmation and I have to type yes, then all the subsquent login is fine wihtout prompt. So how to avoid them

kindy please help
Avatar of dfke
dfke

Hi, 


you should set the appropriate rights on the cli of the NAS mounted paths. ie similar like a chroot jail environment where you would redefine the user's root / directory upon login.


Somethin like:


sudo chown root /home/sftpuser
sudo chmod go-w /home/sftpuser
sudo mkdir /home/sftpuser/writeable
sudo chown sftpuser:sftponly /home/sftpuser/writeable
sudo chmod ug+rwX /home/sftpuser/writeable

Open in new window


Just as an example you can set any other path as write-able as you see fit off course. 


That way 'sftpuser' or any other user you define won't be able to browse outside the defined perimiters and see all sorts of stuff he or she shouldn't. As access is 'wide open' as a default.


As for automated login without prompting for a password then you need to create a client certificate and load it up the sftp server.


ie. create a new pass-phrase-free ssh key on the client, and then add it to authorized_keys on your sftp server.


Or


Like the above , but instead set a passphrase on the key, and use ssh-agent to unlock it prior to running sftp.


Cheers

To be clear the public key needs to be added to the server, the user holds the private key.

The ssh agent ID unlocking is once / logon (or as long as the ssh-agent runs).

That's not a real restriction.  It will work for the non-tech user, but if some hacker got their account, they would still be able to traverse out of those folders.

You need to create a chroot jail if you need it to be more secure. Here's some basic instructions for ubuntu.  https://help.ubuntu.com/community/BasicChroot
ASKER CERTIFIED SOLUTION
Avatar of dfke
dfke

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer