Adding SFTP Users with a limited Shell in CentOS 5.2
A quick way to add SFTP users with a limited shell in CentOS
FTP or SFTP? ¶
FTP is an insecure protocol and is open to packet sniffing so where possible I prefer to use SFTP on a custom port. Closing off the standard FTP port also limits risk to the box.
SFTP requires a standard Linux account which means that users can log into the box via SSH. Most of the time this is ok but sometimes you don’t want this. How can you limit what user accounts can do but still grant SFTP access?
The quick and dirty way ¶
There are a few options to limit user accounts. The simplest is to change the
SFTP user’s shell to use the sftp server as a shell. In order to do this as root
edit /etc/shells
and add /usr/libexec/openssh/sftp-server
.
Then for the SFTP user change their shell to the SFTP server
chsh -s /usr/libexec/openssh/sftp-server yoursftpuser
This means that the user will be able to use the SFTP server but nothing else.
The downside is that the user will still be able to traverse the entire file system when connected. Chrooting is a feature of OpenSSH from version 4.8p1. The version that comes with CentOS is 4.3p2
On a production box manually compiling a newer version is not an option for me.
Other options ¶
scponly acts as an alternative shell to limit what users can do. You can configure users to be chrooted.
rssh is restricted shell for use with OpenSSH which only allows scp. It doesn’t provide chrooting but there are other ways to do it.
Conclusion ¶
Because packages are always behind the latest release on CentOS there isn’t an elegant solution to this without manually compiling packages. The solution offered by OpenSSH is exactly what is required, so I suppose I’ll wait.
Tags
Can you help make this article better? You can edit it here and send me a pull request.
See Also
-
Setting up mod_ssl on Apache Centos 5.2
This tutorial will explain how to set up a site over https on Centos 5.2, although it should work on most linux distributions. The tutorial uses a self signed key so will work well for a personal website or testing purposes. This is provided as is so proceed at your own risk and take backups! -
Linux and Unix alias command tutorial with examples
How to create shell aliases using bash or zsh to provide shortcuts to common commands -
Safer Linux administration with sudo
The root account is all powerful in Linux. As humans make mistakes it is very dangerous to use root on a regular basis. By using sudo you can limit the risk of human error and prevent mistakes from happening.