FTP is an insecure protocol and is open to packet sniffing so where possible I prefer to use SFTP on a custom port. Closing off the standard FTP port also limits risk to the box.
SFTP requires a standard Linux account which means that users can log into the box via SSH. Most of the time this is ok but sometimes you don’t want this. How can you limit what user accounts can do but still grant SFTP access?
There are a few options to limit user accounts. The simplest is to change the SFTP user’s shell to use the sftp server as a shell. In order to do this as root edit
/etc/shells and add
Then for the SFTP user change their shell to the SFTP server
chsh -s /usr/libexec/openssh/sftp-server yoursftpuser
This means that the user will be able to use the SFTP server but nothing else.
The downside is that the user will still be able to traverse the entire file system when connected. Chrooting is a feature of OpenSSH from version 4.8p1. The version that comes with CentOS is 4.3p2
On a production box manually compiling a newer version is not an option for me.
scponly acts as an alternative shell to limit what users can do. You can configure users to be chrooted.
rssh is restricted shell for use with OpenSSH which only allows scp. It doesn’t provide chrooting but there are other ways to do it.
Because packages are always behind the latest release on CentOS there isn’t an elegant solution to this without manually compiling packages. The solution offered by OpenSSH is exactly what is required, so I suppose I’ll wait.
Have an update or suggestion for this article? You can edit it here and send me a pull request.