How to set permissions for users to access directories via SFTP on Linux

Source: Internet
Author: User
Tags connection reset ssh

SFTP and FTP are different protocols, SFTP is an SSH-contained protocol, and as long as the sshd server is started, it is available, and it does not require an FTP server to start itself.

1. View OpenSSH software version, want to SFTP service users can only access a specific file directory, version requires more than 4.8

The code is as follows:
[Root@localhost ftp]# Rpm-qa | grep OpenSSH
Openssh-server-5.3p1-81.el6_3.x86_64
Openssh-5.3p1-81.el6_3.x86_64
Openssh-clients-5.3p1-81.el6_3.x86_64

2. New users, restricting users to access only through SFTP

The code is as follows:
[Root@localhost ftp]# useradd-m-d/opt/ftp/dave-s/sbin/nologin Dave

3. Restrict users to enter the home directory through SFTP login, modify/etc/ssh/sshd_config file

The code is as follows:
[Root@localhost ftp]# Vim/etc/ssh/sshd_config
#Subsystem Sftp/usr/libexec/openssh/sftp-server
subsystem SFTP INTERNAL-SFTP
Match User Dave
Chrootdirectory/opt/ftp/dave
X11forwarding No
Allowtcpforwarding No
Forcecommand internal-sftp

Reboot SSH
4. Test access

The code is as follows:
root@10.1.1.200:test# sftp-oport=22 dave@10.1.6.175
Connecting to 10.1.6.175 ...
dave@10.1.6.175 ' s Password:
Read from remote host 10.1.6.175:connection reset by peer
Couldn ' t read packet:connection reset by peer

Find connection not on, view log

The code is as follows:
[Root@localhost ftp]# Tail/var/log/messages
6 11:41:41 localhost sshd[4907]: Fatal:bad ownership or modes for chroot directory "/opt/ftp/dave"
6 11:41:41 localhost sshd[4905]: Pam_unix (sshd:session): Session closed for user Dave

Workaround:

To follow 2 points on directory permission settings:

Chrootdirectory set the directory permissions and all the parent folder permissions, the owner and the group must be root;

Chrootdirectory set the directory permissions and all the parent folder permissions, only the owner can have write permission, the maximum permissions can be set to 755.

If you cannot follow these 2 points, even if the directory belongs to only one user, it may affect all sftp users.

The code is as follows:
[Root@localhost ftp]# LL
Total 4
Drwxr-xr-x 3 Dave Dave 4096 5 13:06 Dave
[Root@localhost ftp]# chown root:root Dave
[Root@localhost ftp]# chmod 755 Dave
[Root@localhost ftp]# LL
Total 4
Drwxr-xr-x 3 root root 4096 5 13:06 Dave

And then in the test pass

The code is as follows:
root@10.1.1.200:test# sftp-oport=22 dave@10.1.6.175
Connecting to 10.1.6.175 ...
dave@10.1.6.175 ' s Password:
Sftp> ls
Test
Sftp> CD ...
Sftp> ls
Test
Sftp> CD Test
Sftp> ls
1.txt
Sftp> Get 1.txt
Fetching/test/1.txt to 1.txt
/test/1.txt

You can see that the user has been restricted from the home directory and the user cannot log on to the machine.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.