Chrooted SFTP-only accounts with OpenSSH

Courtesy of slashdot user CarlHaagen:

First off, add a group that you call for example “sftponly”. New users that are to be allowed only sftp access should have “sftponly” as their login group, and have /sbin/nologin as shell to deny them shell access. Their home directories should be owned by root:sftponly, and within the home dir you then create relevant user-controllable directories which should be owned by :sftponly.

Secondly, the sshd_config magic that makes the whole charade work:

The regular testosterone level varies between order cheap levitra 350 to 1,000 ngm per deciliter. The Brazilian acai berry has astonished the viagra mastercard espaƱa http://www.midwayfire.com/wp-content/uploads/2015/09/Impact-Fees-Ordinance.doc nutritional world. At the same time, purchase generic levitra check out address it is advisable not to use it. Therefore if you are an impotency victim and is getting to be noticeably made utilization of in endless sickness, generic cialis for sale harm and recuperation from surgery to control and calm agony. Subsystem sftp /usr/libexec/sftp-server
Match Group sftponly
ForceCommand internal-sftp
ChrootDirectory %h

What happens is that when the SSHd matches the user’s login group successfully, it forcefully switches over to the internal sftp component instead of the default external subsystem, which in turn makes it possible to chroot the user to his/her home dir without having to place a plethora of system files in each user’s home directory.

Leave a Reply