First, you create a public and private key (if you haven't done so already) on the machine from which you want to login:
ssh-keygen -t dsa
You only need to do this if there isn't already a ~/.ssh/id_dsa.pub
file.
On Linux, there's the ssh-copy-id
helper. On Mac, you need to copy the public key by hand:
Copy the generated public key to the target machine:
scp ~/.ssh/id_dsa.pub user@targetmachine:myPublicKey.pub
Login to the target machine:
ssh user@targetmachine
Append the public key to the authorized keys:
cat myPublicKey.pub >>.ssh/authorized_keys
You can now delete the copied key:
rm myPublicKey.pub
Done. You should now be able to login to your target machine without the need to enter a password.
The best way to do this is to create a chroot jail for the user. I'll clean up the answer here when I get home but I posted the solution on my blog.
https://thefragens.com/chrootd-sftp-on-mac-os-x-server/
Below are most of the instruction from the above post.
First, you should create the new user in Workgroup Admin and either assign them access privileges for SSH via Server Admin or assign them to a group that has SSH access privileges. Further discussion is below.
From the Terminal, start off right.
sudo cp /etc/sshd_config /etc/sshd_config.bkup
sudo chown root /
sudo chmod 755 /
sudo mkdir -p /chroot/user/scratchpad
sudo chown -R root /chroot
sudo chown user /chroot/user/scratchpad
sudo chmod -R 755 /chroot
Every additional new user added will then be something along the lines of the following.
sudo mkdir -p /chroot/user2/scratchpad
sudo chown root /chroot/user2
sudo chown user2 /chroot/user2/scratchpad
sudo chmod -R 755 /chroot/user2
Every folder it the path to the chroot jail must be owned by root
. I don't think it matters what group the folder is in. What I did above was to
- backup
/etc/sshd_config
- change ownership of the root directory to
root
- change permissions of the root directory to 755
- create a chroot folder
- create a user folder inside the chroot folder
- create a folder inside the user folder that user can modify
- set ownership and permissions
Now to edit /etc/sshd_config
to the following.
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp
Match User user
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot/user
This creates a chroot jail that when the user logs in will drop them into the folder /chroot/user
, in that folder is a folder they can add things to /chroot/user/scratchpad
.
If you want to create a Group in Workgroup Admin for 'Chroot Users' then add the new users that you created in Workgroup Admin to the Group you won't have to keep editing the /etc/sshd_config
file. Instead of the above, add the following. Make sure you add the 'Chroot Users' group to the SSH access ACL in Server Admin.
Match Group chrootusers
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot/%u
To test whether the above is working, issue the following from the terminal.
$ sftp user@domain.com
Password:
sftp>
Best Answer
You can only have one password for one and the same account, but for SSH and SFTP you can however further restrict access to make it more secure.
One thing you can and should do if your SSH server is available to the public is disable password authentication altogether:
Edit
/etc/sshd_config
(requires root credentials) and uncomment the line:Next uncomment and change the following directive to no.
Now you can only authenticate with SSH keys and authenticating with passwords is disabled. To set up a public and private key I'd refer you to the following documentation.
Additionally you can also restrict which accounts can login over SSH and for example only allow one specific user (which can be different from your day-to-day account and can have a more secure password). You can do that right from the
Sharing
preference pane.