unix sysadmin

All posts tagged unix sysadmin

Here is how to set up a secured SFTP server where the user is not permitted shell access, nor access to any other part of the filesystem than what you allow with the chroot. I did this in September 2012 on Ubuntu 12.04.

First, I want to create a place for all the files to live:

sudo mkdir /data/

OpenSSH requires that the sftp user cannot have write access to the root directory, so you have to create at least one sub directory that can be owned by the sftp user:

sudo mkdir /data/incoming/

Second, we want to add a new user solely for this server:

sudo useradd --home-dir /data/incoming --no-create-home sftpuser

Change their password to something long and strong:

sudo passwd sftpupser

Give them control over the incoming directory so they can deposit files there:

sudo chown sftpuser:sftpuser /data/incoming/

Third, we need to enable SFTP in the SSHD configuration. Edit the file /etc/ssh/sshd_config and change the sftp line to this:

Subsystem sftp internal-sftp

Then add this chunk to the end of the file (make sure to put it after the “UsePAM” line!) :

Match User sftpuser
    ChrootDirectory /data
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Restart the SSH server with “sudo service ssh restart” and then you should be all set to go!