Creditz:  Linode orginal article: https://www.linode.com/docs/tools-reference/tools/limiting-access-with-sftp-jails-on-debian-and-ubuntu

mobaXterm is pretty cool ssh client for windows that also automatically mounts your home directory with sftp when you do a ssh login

Did you know SFTP has NOTHING to do with FTP 🙂

You do not need a complicated ssl-ftp-server-setup to provide encrypted up and downloads… no you only need an ssh-server, that you probably have installed anyway on your linux server.

As the system administrator for your Linode, you may want to give your users the ability to securely upload files to your server. The most common way to do this is to allow file transfers via SFTP, which uses SSH to provide encryption. This means you need to give your users SSH logins. But, by default, SSH users are able to view your Linode’s entire filesystem, which may not be desirable.

This guide will help you configure OpenSSH to restrict users to their home directories, and to SFTP access only. Please note that these instructions are not intended to support shell logins; any user accounts modified in accordance with this guide will have the ability to transfer files, but not the ability to log into a remote shell session.

These instructions will work for Ubuntu 9.04, Debian 5, and later. Unfortunately, the version of SSH packaged with Ubuntu 8.04 is too old to support this configuration.

Configure OpenSSH

First, you need to configure OpenSSH.

  1. Edit your /etc/ssh/sshd_config file with your favorite text editor:
    1
    vim /etc/ssh/sshd_config
    
  2. Add or modify the Subsystem sftp line to look like the following:

    /etc/ssh/sshd_config

    Subsystem sftp internal-sftp

  3. Add this block of settings to the end of the file:
    /etc/ssh/sshd_config
    1
    2
    3
    4
    5
    Match group filetransfer
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
    

Save the changes to your file.

  1. Restart OpenSSH:
    1
    service ssh restart
    

OpenSSH has been successfully modified.

Modify User Accounts

In this section, we’ll set up the correct new groups, ownership, and permissions for your user accounts.

  1. Create a system group for users whom you want to restrict to SFTP access:
    1
    addgroup --system filetransfer
    
  2. Modify the user accounts that you wish to restrict to SFTP. Issue the following commands for each account, substituting the appropriate username. Please keep in mind that this will prevent these users from being able to log into a remote shell session.
    1
    2
    3
    usermod -G filetransfer username
    chown root:root /home/username
    chmod 755 /home/username
    

    These users will now be unable to create files in their home directories, since these directories are owned by the root user.

  3. Next, you need to create new directories for each user, to which they will have full access. Issue the following commands for each user, changing the directories created to suit your needs:
    1
    2
    3
    cd /home/username
    mkdir docs public_html
    chown username:filetransfer *
    

Your users should now be able to log into their accounts via SFTP and transfer files to and from their assigned subdirectories, but they shouldn’t be able to see the rest of your Linode’s filesystem.

Links and more:

https://dwaves.de/2017/05/10/linux-sftp-ssh-how-to-limit-users-to-their-home-directories/

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

 

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin