for debugging ssh stuff, this one liner is very handy (on client AND server)
GNU Linux – monitor all logs in real time 😀 – follow all – show changes to log files under /var/log
SFTP is very cool and easy to setup as it is SSH based.
means: if user ‘sftp’ can login via
ssh -v sftp@ip.of.the.srv
than SFTP via FileZilla most likely will also work.
lsb_release -d; # tested on
Description: Debian GNU/Linux 11 (bullseye)
First new user ‘sftp’ needs to be added to client AND server:
su - root useradd -m sftp # no account without pwd passwd sftp # add to group www-data usermod -a -G www-data sftp # become the user su - sftp
generate a ssh key for that user:
to limit the user ‘sftp’ to usage of SFTP only
sed -e '/^#/d' /etc/ssh/sshd_config | grep -v '^[[:space:]]*$' Include /etc/ssh/sshd_config.d/*.conf # allow only those usernames to ssh login AllowUsers sftp SyslogFacility AUTH # possible LogLevels: QUIET, FATAL, ERROR, INFO (Default) VERBOSE, DEBUG, DEBUG1, DEBUG2 (<- use this one for debugging) and DEBUG3 LogLevel DEBUG2 LoginGraceTime 2m PermitRootLogin no StrictModes yes MaxAuthTries 3 MaxSessions 3 PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no UsePAM yes X11Forwarding no PrintMotd no AcceptEnv LANG LC_* # override default of no subsystems # Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp Match User sftp ChrootDirectory /var/www/ X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp ClientAliveInterval 120 # alternatively # Match group sftp
Then don’t forget to restart the ssh service to make changes active:
service ssh restart
Make sure:
- upload the public key to server:/home/sftp/.ssh/authorized_keys2
- on client:
- install filezilla
-
apt update apt install filezilla putty-tools
- start filezilla and hit Ctrl+S -> in Site Manager -> create a new site connection
- login type select “Keyfile” and select the private key which is most likely called “/home/sftp/.ssh/id_ed25519”
- FileZilla says it needs to convert the key to a format.ppk it can handle
- do that and give it a new ending id_ed25519.ppk
- save the site config by hitting “ok”
- on client:
- make sure ssh login to this server via this user works
-
ssh -v sftp@ip.of.the.srv
-
If that worked.
test if FileZilla can also SFTP login.
Then the user ssh login can be disabled like this:
usermod -s /usr/sbin/nologin sftp
this script could be named:
vim /root/scripts/fix_permissions.sh
contents:
#!/bin/bash
echo "=== fixing webserver permissions ==="
chown -R www-data: /var/www/html
chmod 775 -R /var/www/html
echo "... make sure chroot for user 'sftp' works"
echo "... the idea is that user 'sftp' can not ssh login but only sftp /var/www/html
chown root:root /var/www/
chmod 755 /var/www
creditz:
https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!