I have a task to create 3 users that must connect only via sftp on a machine, and must have only read access to a certain directory (thay shouldn;t be able to cd anywhere else)
The problem is that the directory where these users must have access to, it's already created/owned by another user/group which have xw rights there also.
My approach for this was to create the new users into the owner group of the respective directory. Then I configured in /etc/ssh/sshd_config for the users to be chrooted in that directory.
Like this :
the directory where the users have to 'caged' with only read permissions :
Code:
miemand1:/home # ls -ld /var/sppm/module/mnp
drwxr-xr-x 7 ologw sog 4096 Aug 1 09:47 /var/sppm/module/mnp
The user creation and chroot settings :
Code:
useradd -g sog -d /var/sppm/module/mnp -s /sbin/nologin user1
vi /etc/ssh/sshd_config
Match User user1
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
sshd -t
service sshd restart
I\m not sure exactly what ChrootDirectory %h does but I assume it 'cages' the respective user in his home directory.. ?
My problem is that once the 'ChrootDirectory %h' is in place my user cannot login :
Code:
[mnuser@NagiosPM ~]$ sftp -v user1@10.21.250.233
Connecting to 10.21.250.233...
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.21.250.233 [10.21.250.233] port 22.
debug1: Connection established.
debug1: identity file /box/monitoring/.ssh/id_rsa type 1
debug1: identity file /box/monitoring/.ssh/id_rsa-cert type -1
debug1: identity file /box/monitoring/.ssh/id_dsa type -1
debug1: identity file /box/monitoring/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.21.250.233' is known and matches the RSA host key.
debug1: Found key in /box/monitoring/.ssh/known_hosts:10
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /box/monitoring/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /box/monitoring/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
I have built a website and I can access and edit the website'files on server via the root user. The current file and directory structures are not changeable. Now I am hiring a webpage designer to help me re-design some pages, I am going to let the designer edit the files directly on the server. So... (5 Replies)
Hello,
I've just started using a Solaris machine with SunOS 5.10.
After the machine is turned on, I open a Console window and at the prompt, if I execute a pwd command, it tells me I'm at my home directory (someone configured "myuser" as default user after init).
... (2 Replies)
Hello Folks,
Of course i came here for your favour :)
How to set a defalult home directory for sFTP login ( at present users land in to their home directrory) when they connect from specific server.
When server(A) sFTP's to Linux server(B) they land to thier home directory.
I want... (5 Replies)
I am running a shell script as user A. In that script I need to execute a sftp that would transfer the file using another user B.
I am using the below command:
sftp -oPort22 B@remote server
However, I am getting password prompts each time.
I have done the following:
Added the public... (4 Replies)
I needed to set up an sftp server for an external user to upload data for an internal developer.
What I did was created a chrooted user for the external guy, and then created an internal group with full permissions to that directory and then made the internal developer a member of that group so... (5 Replies)
Hi,
Im trying to add some validation into my shell script code that basically checks whether a directory exists before SFTP'ing a file to it. If the directory exists then it will add the file, if not then it should return some kind of message. This is the code I have written so far but with no... (1 Reply)
Hi List,
I have set up a chrooted SFTP setup following the instructions I found on tech republic:
/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229
I have successfully got it all working and I can download files when logged in via sftp... (0 Replies)
Hi, I need to log the activity of my SFTP (RHEL 5.4).
I have this in /etc/sshd/sshd_config:
Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL5 -l VERBOSE
And this in /etc/syslog.conf:
LOCAL5.* /var/log/sftp.log
When I log in... (1 Reply)
Hi,
I've created solaris user which has both FTP and SFTP Access. Using the "ftpaccess" configuration file options "guest-root" and "restricted-uid", i can restrict the user to a specific directory. But I'm unable to restrict the user when the user is logged in using SFTP.
The aim is to... (1 Reply)
Hi,
I want to configure chrooted FTP (not Proftpd) in AIX.
What are the steps to perform this configuration and which and config files in AIX to configure?
Thanks (1 Reply)
