Introduction
In this article, we will build a SFTP server with following conditions:
- Users
can't
login via SSH - Users
can
login via SFTP - Users
can only
enter specified directories - Users
can
perform uploading and downloading in specified directories
Environment
GCP Ubuntu 18.04
The default user of the following operation is root. If you are not, put sudo in the beginning.
Create a SFTP group
Create a group
group add sftp-users
Make sure the group was created
grep 'sftp-users' /etc/group
Create SFTP users
Create users
useradd -g sftp-users -d /upload -s /sbin/nologin test
-g
: default group-d
: default home directory-s
: default shell, nologin shell is common used on system accounts, which are not granted with login permissionMake sure the user was created
grep test /etc/passwd
If the user already existed, we could simply revise the setting
usermod -g sftp-users -d /upload -s /sbin/nologin test
SSH configuration
Open SSH config file
vim /etc/ssh/sshd_config
Copy Subsystem for revising, and comment original one
# Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftpSpecify group root directory
Match Group sftp-users
ChrootDirectory /home/sftp-users/%u
ForceCommand internal-sftpChrootDirectory
: Set root directory of that group%u
: It means user, so whatever users’ root directories will become the users’ name. In this case, the root directory is /home/sftp-users/testForceCommand
: Force internal-sftpThe
Match
setting above should put at the end of the file, otherwise an error would occur
Directory allowed for uploading and downloading
- Build a folder allowed for the user to upload and download
install -d -o test -g sftp-users /home/sftp-users/test/upload
-d
: type is directory-o
: owner-g
: group
The user is only allowed to upload and download in this upload folder
Per SSH security regulation, the owner of chrootDirectory should be root, and only root could possess w permission. If the folder of chrootDirectory is not root, no one could login in
Comments