I need to provide user access to Ubuntu 14.04 Server, only limited to certain folder. To enjoy the ssh security and not to open up new service and ports (ie, ftp), I'd like to stick with sftp. However, just creating a user and enabling ssh access is too generous – the user then can log on via ssh and see whatever there is that is viewable by everybody.
I need the user to find themselves in a specific directory after login, and, according to their privileges, read/write files, as well as create folders where permitted. No access to any file or directory above the user's "root" folder.
What would be the suggested method to achieve this? Is there some very restricted shell type for this? I tried with
$ usermod -s /bin/false <username>
But that does not let the user to cd into subfolders of their base folder.
Best Answer
If you want to restrict a user to SFTP, you can do it easily in the SSH daemon configuration file
/etc/ssh/sshd_config
. Put aMatch
block at the end of the file:If the jail directory is the user's home directory as declared in
/etc/passwd
, you can useChrootDirectory %h
instead of specifying an explicit path. This syntax allows specifying a group of user accounts as SFTP-only — all users whose group as declared in the user database issftponly
will be restricted to SFTP: