FTP is an insecure protocol and is open to packet sniffing so where possible I prefer to use SFTP on a custom port. Closing off the standard FTP port also limits risk to the box.
SFTP requires a standard Linux account which means that users can log into the box via SSH. Most of the time this is ok but sometimes you don’t want this. How can you limit what user accounts can do but still grant SFTP access?
There are a few options to limit user accounts. The simplest is to change the SFTP user’s shell to use the sftp server as a shell. In order to do this as root edit
/etc/shells and add
Then for the SFTP user change their shell to the SFTP server
chsh -s /usr/libexec/openssh/sftp-server yoursftpuser
This means that the user will be able to use the SFTP server but nothing else.
The downside is that the user will still be able to traverse the entire file system when connected. Chrooting is a feature of OpenSSH from version 4.8p1. The version that comes with CentOS is 4.3p2
On a production box manually compiling a newer version is not an option for me.
scponly acts as an alternative shell to limit what users can do. You can configure users to be chrooted.
rssh is restricted shell for use with OpenSSH which only allows scp. It doesn’t provide chrooting but there are other ways to do it.
Because packages are always behind the latest release on CentOS there isn’t an elegant solution to this without manually compiling packages. The solution offered by OpenSSH is exactly what is required, so I suppose I’ll wait.
Have an update or suggestion for this article? You can edit it here and send me a pull request.
Using HashiCorp Vault with LDAP
How to use HashiCorp Vault to setup an LDAP backed secret store with read-only access for users in groups and read-write access for specific users
Linux and Unix xargs command tutorial with examples
Tutorial on using xargs, a UNIX and Linux command for building and executing command lines from standard input. Examples of cutting by character, byte position, cutting based on delimiter and how to modify the output delimiter.
Copy a file in Go
How to copy a file in Go. The ioutil package does not offer a shorthand way of copying a file. Instead the os package should be used.