Wednesday, July 22, 2015

How to set up an SFTP user and restricted access to user home directory on FreeBSD

How to set up an SFTP user and restricted access to user home directory on FreeBSD

Do you need a secure way to give people access to files on your FreeBSD server? While FTP is not a good option because passwords are transferred in plain text, you should use the more secure SFTP. SFTP is based on SSH which encrypts all passwords and data. With this option there is no need to install a separate service as SSH is on almost every server.

All you need to do is to configure SSH properly. In this tutorial we show you to give users limited access to your system. Shell login will be disabled for these users, so they cannot run commands or play around with files they shouldn't.

Create a new group:

# pw groupadd sftponly

Add these lines at the bottom of the file and change the chroot directory to your needs:

# vi /etc/ssh/sshd_config

Match Group sftponly
 ChrootDirectory %h
 X11Forwarding no
 AllowTcpForwarding no
 ForceCommand internal-sftp

Restart the SSH server:

# /etc/rc.d/sshd restart

Add www user to the sftponly group:

# pw groupmod sftponly -m www

Create a new user:

# pw useradd -n sftp_user1 -s /usr/sbin/nologin -w yes -c "sftponly user" -m
# passwd sftp_user1

Add a user to a group:

# pw groupmod sftponly -m sftp_user1

The chroot directory needs to be owned by root so that the user/group can log in:

# chown root:sftponly /home/sftp_user1
# chmod 750 /home/sftp_user1

Create a new directory within the users home directory where files can be uploaded. Change the ownership of this directory to the new user and the sftponly group:

# cd ~sftp_user1
# mkdir shared_files
# chown sftp_user1:sftponly shared_files
# chmod 750 shared_files
# touch shared_files/index.html

# vim /usr/local/etc/apache22/extra/httpd-vhosts.conf

<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot "/home/srv/web-sftp/apache22/sftp.mydomain.com"
    ServerName sftp.mydomain.com

    ErrorLog "/var/log/apache22/sftp.mydomain.com-error_log"
    CustomLog "/var/log/apache22/sftp.mydomain.com-access_log" common
</VirtualHost>

# cd /home/srv/web-sftp/apache22/sftp.sftp.mydomain.com

# ln -s /home/sftp_user1/shared_files sftp_user1

Use browser to access:

http://sftp.sftp.mydomain.com/sftp_user1/ + FileName

Reference:

http://bin63.com/how-to-set-up-an-sftp-user-on-freebsd

No comments: