Learn how to configure SFTP with restricted listing entry

0

Get real time updates directly on you device, subscribe now.

Steps to configure SFTP on Linux server with entry restricted to the particular listing solely. Additionally, learn how to deny SSH login and solely enable SFTP login to the consumer.

SFTP with restricted directory accessSFTP with restricted listing entry

On this article, we are going to stroll you thru the process to configure SFTP in your server and limit SFTP consumer entry to a selected listing.

The entire course of is listed beneath stepwise. If in case you have SFTP configured already or customers created already you may skip these steps.

Add SFTP consumer to the system Put together SFTP directoryConfigure SFTP on SSH service layerAllow consumer for SFTP solely and deny SSH accessVerify entry

In beneath instance, we are going to create consumer sftp_user1, enable his SFTP entry, deny him ssh entry and limit his SFTP entry to the listing /sftp_uploads/user1

Add SFTP consumer to the system

It’s a easy useradd stuff. For simple administration of SFTP customers, add the SFTP group as properly in your system.

[root@kerneltalks ~]# groupadd sftp_group
[root@kerneltalks ~]# useradd -g sftp_group -s /sbin/nologin sftp_user1
[root@kerneltalks ~]# passwd sftp_user1

Put together SFTP listing

Remember that you must have a base listing that might be owned by root i.e. ChrootDirectory. After which underneath it, you may create your restricted listing the place SFTP consumer is to be restricted. So as soon as SFTP consumer is logged in he’s jailed into ChrootDirectory and he cannot transfer past it.

Set possession and permissions for the SFTP listing. I saved them solely for proprietor i.e. sftp_user1 solely.

[root@kerneltalks ~]# mkdir -p /sftp_uploads/user1
[root@kerneltalks ~]# chown root:root /sftp_uploads
[root@kerneltalks ~]# chown sftp_user1:sftp_group /sftp_uploads/user1
[root@kerneltalks ~]# chmod 700 /sftp_uploads/user1

Configure SFTP in SSH service

SFTP is a sub-service provided by SSH daemon. To allow it, add beneath traces in SSH configuration file /and so on/ssh/sshd_config

In case your SSH config file already has /usr/libexec/openssh/sftp-server enabled as SFTP subsystem then hash it out.

Subsystem sftp internal-sftp
Match Group sftp_group #OR Match Consumer sftp_user1
ChrootDirectory /sftp_uploads
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

Right here line-wise –

Tells SSH daemon to run the interior sftp subsystem. Match customers with the first group sftp_group or match solely specified consumer i.e. sftp_user1When they attempt to login limit their working listing underneath the bottom /sftp_uploadOnly enable them to make use of sftp service and deny ssh loginDisable all X11 ahead for these customers in order that they cant entry GUI appsDisable TCP forwarding as properly for them

Restart SSH daemon to select up these new configurations. You possibly can restart with HUP in case you don’t need the prevailing SSH connection to be impacted.

[root@kerneltalks ~]# systemctl restart sshd
[root@kerneltalks ~]# kill -HUP

Confirm entry

Now there are 3 issues we have to confirm right here –

sftp_user1 ought to in a position to join utilizing the sftp protocolsftp_user1 shouldn’t be allowed to log in utilizing SSHWhen logged in utilizing sftp, sftp_user1 ought to be restricted to /sftp_uploads/user1 listing solely.

Let’s take a look at all three factors –

[root@kerneltalks ~]# sftp sftp_user1@192.168.0.106
sftp_user1@192.168.0.106’s password:
Related to 192.168.0.106.
sftp>

So the primary level is validated.

[root@kerneltalks ~]# ssh sftp_user1@192.168.0.106
sftp_user1@192.168.0.106’s password:
Couldn’t chdir to dwelling listing /dwelling/sftp_user1: No such file or listing
This service permits sftp connections solely.
Connection to 192.168.0.106 closed.

There! The second level validated.

[root@kerneltalks ~]# sftp sftp_user1@192.168.0.106
sftp_user1@192.168.0.106’s password:
Related to 192.168.0.106.
sftp> ls
user1
sftp> pwd
Distant working listing: /user1

And the third level as properly. You possibly can see the SFTP consumer’s working listing is restricted to /usr1 which is /sftp_uploads/user1 on the SFTP server. Since we jailed him utilizing ChrootDirectoy /sftp_uploads, he’s inside it and cannot see past. Therefore /user1 is PWD for SFTP customers.

Leave A Reply

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More