Configure SFTP in centos and restrict user access to directories

Source: Internet
Author: User

Step 1: Create an SFTP service user group and create the SFTP service root directory

Groupadd SFTP # The owner (owner) of this directory and its parent directory must be root and the permission is no higher than 755. The Group of this directory should be set to sftpmkdir/srv/sftpchown-r root: SFTP, SRV, sftpchmod-r 0755, SRV, and sftp

Step 2: Back up the sshd configuration file and edit it

mv /etc/ssh/sshd_config ~/backup/sshd_config_xxx                     vim /etc/ssh/sshd_config

In this step, comment out the line code in the/etc/ssh/sshd_config file:

Subsystem  sftp    /usr/libexec/openssh/sftp-server

Add the following code:

Subsystem sftp internal-sftpMatch Group sftp    ChrootDirectory /srv/sftp/%u    X11Forwarding no    AllowTcpForwarding no    ForceCommand internal-sftp

Function Description: all users in the SFTP user group can use the SFTP service.
After the SFTP service is connected, the accessible directory is/srv/SFTP/username.
For example:

User test is a user in an SFTP group. After connecting to the server through SFTP, you can only view the content in the/srv/SFTP/test directory.
User Test2 is also a user in the SFTP group. After he connects to the server through SFTP, he can only see the content in the/srv/SFTP/Test2 directory.

Step 3: Add a valid SFTP user and grant the write permission to the user

# In this example, create an SFTP account named test # create the Home Directory of test: the owner of the test directory must be root. It is best to set the group to SFTP, the permission is not higher than 755 mkdir/srv/SFTP/testchmod 0755/srv/SFTP/testchown root: SFTP/srv/SFTP/test # Add the user's-S/sbin/nologin parameter to prohibit the user from logging on to useradd-gsftp-D/srv/SFTP/test-S/sbin/through command lines/ nologin Test

The following solution is not perfect for writing permissions:

# Create a writable directory mkdir/srv/SFTP/test/Write chown-r test: SFTP/srv/SFTP/test/write under the test directory

In this way, the test user can have the write permission under the write directory in his home directory.

The root directory owner of the SFTP service must be root, and the permissions cannot exceed 755 (the parent directory must also follow this rule). the SFTP user directory owner must also be root, the maximum permission cannot exceed 755.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.