All posts for the month September, 2012

Here is how to set up a secured SFTP server where the user is not permitted shell access, nor access to any other part of the filesystem than what you allow with the chroot. I did this in September 2012 on Ubuntu 12.04.

First, I want to create a place for all the files to live:

sudo mkdir /data/

OpenSSH requires that the sftp user cannot have write access to the root directory, so you have to create at least one sub directory that can be owned by the sftp user:

sudo mkdir /data/incoming/

Second, we want to add a new user solely for this server:

sudo useradd --home-dir /data/incoming --no-create-home sftpuser

Change their password to something long and strong:

sudo passwd sftpupser

Give them control over the incoming directory so they can deposit files there:

sudo chown sftpuser:sftpuser /data/incoming/

Third, we need to enable SFTP in the SSHD configuration. Edit the file /etc/ssh/sshd_config and change the sftp line to this:

Subsystem sftp internal-sftp

Then add this chunk to the end of the file (make sure to put it after the “UsePAM” line!) :

Match User sftpuser
    ChrootDirectory /data
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Restart the SSH server with “sudo service ssh restart” and then you should be all set to go!

I have my server set up to server files using Samba (the windows filesharing protocol) now called CIFS. I wanted to use some authentication for the read/write share so here is how to do it.

Make a file called /etc/samba.credentials, owned by root:root, with permissions 0600, with these contents:

Then add a line like this to your /etc/fstab:
//server/sharename /mount/point cifs auto,credentials=/etc/samba.credentials,iocharset=utf8,file_mode=0777,dir_mode=0777,uid=youruser,gid=yourgroup,nounix 0 0

Then it should be automatically mounted when you login!