Often we need to provide secure but restricted sftp access to our clients to upload or download large files.
Regular sftp accounts allow the users to view login names of other users/clients and in many default installations even allow them to browse through the directories and files. In addition, they can also view your system files and any unprotected files and directories including much of your system settings under etc.
When you provide sftp access, you also provide ssh access (sftp is a subsystem of ssh) and as such users can login.
We address these issues by enclosing the user’s home directory in chroot jail, which makes it impossible for the user to break out of his home directory and view other’s files and directories.
Follow the steps below to configure your system.
As root (or sudo) modify /etc/ssh/sshd_config:Change Subsystem sftp line to:
Subsystem sftp internal-sftp
Add this to the end of the file:
Match Group sftp
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Save the changes and restart OpenSSH:
sudo apt install whois
Create a system group for users with restricted sftp access:
addgroup --system sftp
Now you can add users with addsftpuser and delete with delsftpuser from GitHub project restricted-sftp.
Clone the repository with:
git clone https://github.com/angsuman/restricted-sftp.git
Copy the files addsftpuser and delsftpuser to your ~/bin or any other directory in your PATH like /usr/bin.
Run it with by specifying the login name of the sftp user:
addsftpuser new-login
The only downside is that the user cannot upload/download files and directories under his home directory directly (as it is owned by root) but can do under Files sub-directory. There you have full access and can upload/download/delete/rename files and directories. To create additional directories under home, edit the addftpuser script and create them following the same procedure as Files.