Configure the SFTP environment for non-SSH users in Linux

Configure the SFTP environment for non-SSH users in Linux

InSome EnvironmentsThe system administrator wants to allow a very small number of users to transfer files to Linux machines, but does not allow SSH. To achieve this goal, we can useSFTPAnd build a chroot environment for it.

SFTP & chroot Background:

SFTPYesSSH File Transfer protocol (SSH File Transfer Protocol) or Secure File Transfer protocol (Secure File Transfer Protocol)It provides file access, file transmission, and file management functions under trusted data streams. After we configure the chroot environment for SFTP, only authorized users can access it and are restricted to theirHome DirectoryIn other words, licensed users will be in a cage environment where they cannot even switch their directories.

In this article, we will configureRHEL 6.XAndSFTP Chroot environment in CentOS 6. X. We open a user account'Jack', This user is allowed to transfer files on Linux machines, but has no ssh access permission.

Step: 1. Create a group

 
 

  
  
[root@localhost ~]# groupadd  sftp_users  
 
 

Step 2: Assign the affiliated group (sftp_users) to the user

If the user does not exist on the system, use the following command to create LCTT. Note: a shell that cannot be logged on is specified to prevent ssh logon ):

 
 

  
  
[root@localhost ~]# useradd  -G sftp_users  -s /sbin/nologin  jack  
  
  
[root@localhost ~]# passwd jack  
 
 

ForExisting User, Use the following usermod command to modify:

 
 

  
  
[root@localhost ~]# usermod –G sftp_users  -s /sbin/nologin  jack  
 
 

Note:: If you want to modifyDefault home directoryYou can use'-D'Option, and setAppropriate Permissions.

Step: 3 edit the configuration file "/etc/ssh/sshd_config"

 
 

  
  
# vi /etc/ssh/sshd_config  
  
  
#comment out the below line and add a line like below  
  
  
#Subsystem sftp /usr/libexec/openssh/sftp-server  
  
  
Subsystem sftp internal-sftp  
  
  
 
  
  
# add Below lines  at the end of file  
  
  
  Match Group sftp_users  
  
  
  X11Forwarding no  
  
  
  AllowTcpForwarding no  
  
  
  ChrootDirectory %h                        
  
  
  ForceCommand internal-sftp 
 
 

Here:

• Match Group sftp_users-This parameter specifies that the following rows only match users in the sftp_users group.
• ChrootDirectory % h-This parameter specifies the default user's home directory for the chroot environment path after user authentication ). For user Jack, the path is/home/jack.
• ForceCommand internal-sftp-This parameter enforces internal sftp and ignores any ~ Commands in the/. ssh/rc file.

Restart the ssh service

 
 

  
  
# service sshd restart 
 
 

Step 4. Set permissions:

 
 

  
  
[root@localhost ~]# chmod 755 /home/jack  
  
  
[root@localhost ~]# chown root /home/jack  
  
  
[root@localhost ~]# chgrp -R sftp_users /home/jack  
 
 

If you want to allow jack to upload files, create an upload folder and set the following permissions:

 
 

  
  
[root@localhost jack]# mkdir /home/jack/upload  
  
  
[root@localhost jack]# chown jack. /home/jack upload/  
 
 

Step: 5 now try to access the system and Test

Try to access the system through ssh

As shown in, user jack logs on through SFTP, And the directory cannot be switched because of the chroot environment.

Proceed nowUpload and downloadTest, such:

As shown in, jack's upload and download functions work well.

Via: http://www.linuxtechi.com/configure-chroot-sftp-in-linux/

Author: Pradeep Kumar Translator: GOLinux Proofreader: wxy

Http://linux.cn/article-3692-1.html.