It sounds like you want your müşteriler to have file transfer access to a folder without actually giving them shells. This is a good thing because as binfalse pointed out, giving people shells with limited access is tricky because shells need to access all kinds of things scattered on the system just to run.
In order to give SFTP access to a specific folder, you can do something like this.
- Add a new group to the system, say 'sftponly'.
- Add any users on your system that should have restricted rights to this group. You could also give them restricted shells like /bin/true, but it's not required.
- Change your ssh config file (Usually
/etc/ssh/sshd_config
) with these lines
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
This would activate the sftp subsystem inside of SSH and force members of that system group to use only that system when logging in. It would also chroot them to their home directories. You could change that to be a sub-folder of their home-directores as well with something like ChrootDirectory %h/musteri_sftp
so that they couldn't se the rest of their system files but would login directly to a special subfolder of their home folder.
Kolay gelsin.
Best Answer
Paradeepchhetri isn't exactly correct.
Debian's unmodified
sshd_config
has the following:Thus, login via ssh would only work for users that have a populated password field in
/etc/shadow
or an ssh key in~/.ssh/authorized_keys
. Note that the default value forPubkeyAuthentication
isyes
and forPermitEmptyPasswords
isno
, so even if you remove them the behavior will be the same.In the question example,
www-data
by default won't be allowed to log in since Debian's installer neither assigns a password nor creates a key forwww-data
.pam_access
,AllowUsers
andAllowGroups
insshd_config
can be used for finer control if that's needed. In Debian it's strongly encouraged toUsePAM
.