The best way, is to use SFTP from SSH and jail the user.
in file: /etc/ssh/sshd_config
make sure this line is uncomented:
Subsystem sftp internal-sftp
Then configure the rule to match a group:
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
and lastly manage the users:
# chown root.root /home/user
# usermod -d / user
# adduser user sftponly
Source: http://www.debian-administration.org/articles/590
Users don't “effectively have root access” just because they can browse other directories. All users with shell access can browse the software installation — this isn't confidential information after all, since it can be downloaded from any number of sites. If there are directories that you don't want to expose to all shell users, given them appropriately restrictive permissions.
If you want to have a second layer of safety, you can make the accounts more restricted. If you only want to allow these users to browse, upload and download files under /var/www/html/testuser.com
, then don't give them a shell account, give them a restricted account that can only use SFTP. You can specify options for a specific account in sshd_config
with a Match
block. (Put this at the end of the file, since the Match
directive extends to the next Match
directive or to the end of the file.)
Match User testuser
Force-command internal-sftp
ChrootDirectory /var/www/html/testuser.com
If you want to allow the users to use a few more commands such as scp and rsync, but not general shell access, use rssh or scponly as the shell on their account, and install and configure rssh or scponly to specify which commands you want to allow (see Do you need a shell for SCP?).
If you want to give a shell account that only allows running a few whitelisted programs, make their shell a restricted shell. Note that these users will be able to access files outside their home directory, based on file permissions.
If you want to give full shell access, but make everything other than home directories invisible, then you need to create some form of jail. The weakest form of jail is a chroot jail, which restricts the user to a branch of the directory tree. Restricting a user to a chroot is as easy of specifying ChrootDirectory
in sshd_config
; however, since the user cannot exit the jail, the directory must contain all the programs that the user will use and their data. You can use bind mounts to make some directories (e.g. /usr
) visible inside the jail.
Best Answer
On the server side, you can restrict this by setting their user shell to
/bin/true
. This will allow them to authenticate, but not actually run anything since they don't get a shell to run it in. This means they will be limited to whatever subset of things SSH is able to offer them. If it offers port forwarding, they will still be able to do that.On the client side, you will probably want to connect with the
-N
. This stops the client from ASKING for a remote command such as a shell, it just stops after the authentication part is done. Thanks to commentors for pointhing this out.