Unix as a Second Language
by Sandra Henry-Stocker
Network access control

Sftp-Only User Accounts

3 comments | 4I like it!
Tags: restrict users, Sandra Henry-Stocker, secure file transfer, sftp-only
More »
Recent Posts
April 22, 2009, 12:35 PM — 

Setting up users with very limited access to systems -- nothing more than they need, used to be a little tricky. You could create a specialized environment, chain the visitor to his home directory and do a lot of testing to be sure that your limits were strictly enforced. Limiting a user to only being able to move files to and from your system with sftp is surprisingly simple.

The first thing you need to do is find the sftp-server executable on your system. Let's say the file is /usr/local/libexec/sftp-server. Next, create your new user's account using this file as the user's shell:

# grep sftponly /etc/passwd
sftponly:x:9042:8080:sftp-only:/home/sftponly:/usr/local/libexec/sftp-server

If this is the first user to be set up with access limited to sftp, you will also need to add your sftp-server executable to the list of valid shells. You can easily add the file to the /etc/shells file like this:

echo "/usr/local/libexec/sftp-server" >> /etc/shells

At this point, you can test the account using sftp.

# sftp visitor@localhost
Connecting to localhost...
visitor@localhost's password:
sftp> ls
sftp> put test
Uploading test to /home/visitor/test
test                                          100%  415     0.4KB/s   00:00
sftp> ls
test
sftp> bye

Anyone used to ftp should have no trouble using sftp. The security advantages are considerable. All data passing back and forth between the server and the sftp client are encrypted.

If your new user is uploading and downloading files from his Windows, Linux or Mac OS X desktop and wants a nicer interface for uploading and downloading files, introduce him to FileZilla. To use sftp with FileZilla, all he has to do is put "22" into the Port: field in the window's header or "sftp://" ahead of the server's name in the Host: field.

This setup provides sftp-only access, but does not restrict these users to their home directories, so don't count on this as a solution for managing untrusted visitors. If you need to restrict your new user to his home directory as well as to only using sftp, you will need a modified sftp-server that adds a chroot function.

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

I like it!
Comments
3 comments Add a comment

Password change

We use this solution at on our solaris boxes. The problem is, that the users can't change their own password.
Do you have maybe a tipp for it?
by Anonymous (not verified) on 4/23/09 at 1:37 am | reply

Sftp-Only User Accounts

Anonymous-

Don't think there is a way, with sftp-only, to let a user change his password. However, I think the following would accomplish want you want to do, as long as you have access to the keys (I have not actually tried it). But OpenSSH allows the sysadmin to restrict the commands a user has access to. So I think you can alter the authorized_keys file to say something like the following:

command="/usr/sbin/passwd" ssh-rsa XXXXXX...

When the user ssh's into the machine, all he or she can do is run the passwd command. Unfortunately, if he tries to run another command, it will respond with the passwd prompt, which is probably undesirable, but as best I know that's the way it is.
by sherwool on 5/24/09 at 4:00 pm | reply

no need to patch server to chroot sftp server

Since OpenSSH 4.9 (or OpenSSH 4.8 - OpenBSD 4.3 only)
It's called "internal-sftp" command.
(I've made a short "historical" note on this: http://zhmark.livejournal.com/1167.html)
by Mark Zhitomirski (not verified) on 10/6/09 at 8:36 am | reply
View all comments »
peer-to-peer

Esther Schindler
If the comments are ugly, the code is ugly

claird
SVG a graphics format for 21st century

pasmith
Take Chrome OS for a test spin

Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?

sjvn
64-bits of protection?

jfruh
Android fragments vs. the iPhone monolith

mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive

 

Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann

Join the conversation here

The Daily Tip

The Daily TipQuick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

I would like to receive offers via email from ITworld partners.
By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.
view all newsletters »
Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace