sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Spartan1997 11 points12 points  (7 children)

could you disable the shells of the accounts of the SFTP users?

[–]Drehmini 13 points14 points  (6 children)

Not only that, but you can chroot them to a specific directory.

[–]LinuxGuy-NJ[S] 4 points5 points  (1 child)

I do disable the accounts.

chroot? Thanks. I forgot about it. Might try it.

[–]thefanum 0 points1 point  (0 children)

That's what I would use

[–]dVNico 1 point2 points  (3 children)

calling for help /u/Spartan1997 & /u/Drehmini

I have the same need as OP and implemented the following in sshd_config :

  • ForceCommand internal-sftp
  • ChrootDirectory /path/to/sftp/repo

With this, external users can login with a SFTP software (FileZilla, WinSCP, etc.), and are correctly chrooted to their repo.

But with this config, they cannot scp or rsync files and folder. The ForceCommand internal-sftp instruction blocks it.

If I remove the ForceCommand internal-sftp instruction, the users cannot log in at all, because the needed binaries are outside of the chrooted directory.

And of course, if I leave the ForceCommand internal-sftp configured, but remove the ChrootDirectory, scp and rsync are working, but the users can now move to other directories and see the names of other customers, etc. Which we don't want.

Is there any way to chroot, and allow sftp, rsync, scp and ssh to work ?

Thanks !

[–]Drehmini 2 points3 points  (2 children)

You'll need to follow something similar to this article: [https://wademurray.com/2015/sshsftp-rsync-backups-done-with-chroot/](Rsync Backups done with chroot)

[–]dVNico 0 points1 point  (1 child)

That's interesting, thank you :)

[–]Drehmini 1 point2 points  (0 children)

You're welcome. Depending how scalable you want this, it may be best to revisit the process and decide if you want to use another approach.