Recent blog posts

Sftp-Only User Accounts

By Sandra Henry-Stocker  7 comments

April 22, 2009, 1:35 PM Setting up users with very limited access to systems -- nothing more than they need, used to be a little tricky. You could create a specialized environment, chain the visitor to his home directory and do a lot of testing to be sure that your limits were strictly enforced. Limiting a user to only being able to move files to and from your system with sftp is surprisingly simple.

The first thing you need to do is find the sftp-server executable on your system. Let's say the file is /usr/local/libexec/sftp-server. Next, create your new user's account using this file as the user's shell:

# grep sftponly /etc/passwd
sftponly:x:9042:8080:sftp-only:/home/sftponly:/usr/local/libexec/sftp-server

If this is the first user to be set up with access limited to sftp, you will also need to add your sftp-server executable to the list of valid shells. You can easily add the file to the /etc/shells file like this:

echo "/usr/local/libexec/sftp-server" >> /etc/shells

At this point, you can test the account using sftp.

# sftp visitor@localhost
Connecting to localhost...
visitor@localhost's password:
sftp> ls
sftp> put test
Uploading test to /home/visitor/test
test                                          100%  415     0.4KB/s   00:00
sftp> ls
test
sftp> bye

Anyone used to ftp should have no trouble using sftp. The security advantages are considerable. All data passing back and forth between the server and the sftp client are encrypted.

If your new user is uploading and downloading files from his Windows, Linux or Mac OS X desktop and wants a nicer interface for uploading and downloading files, introduce him to FileZilla. To use sftp with FileZilla, all he has to do is put "22" into the Port: field in the window's header or "sftp://" ahead of the server's name in the Host: field.

This setup provides sftp-only access, but does not restrict these users to their home directories, so don't count on this as a solution for managing untrusted visitors. If you need to restrict your new user to his home directory as well as to only using sftp, you will need a modified sftp-server that adds a chroot function.

7 comments

    Anonymous 1 year ago
    There are many competing in our lives, Aion Kinah game as is. Click on Buy Aion Kinah to play
    Flag comment  |  Permalink Reply
    Anonymous 1 year ago
    For many of the internet users I know, Facebook and Twitter is not just another site. it IS life. and those guys, when they loose connection to their oxygen pipe they find ways to go back in. There are so many ways to do it, either by sites like unblock facebook and unblock twitter, or VPN accounts that are there by hundreds, or even static proxy lists. The bottom line, some people just can't live without it. and they WILL find their way to get there. for sure. Promotional Products Promotional Products Corporate Gifts
    Flag comment  |  Permalink Reply
    Anonymous 2 years ago
    I understand the importance of SFTP but I am not at all technologically minded!For my business, we just outsourced. We now have a secure file transfer set up, and I can do business without these headaches.I recommend it. A lot.
    Flag comment  |  Permalink Reply
    mbt
    mbt 2 years ago
    Nice blogpost, good looking website, added it to my favs.mbt shoes
    mbt shoe
    mbt sale
    Cheap mbt shoes
    mbtmbt shoes salembt anti shoescheap mbt shoesmbt LamiCheap Timberland Bootscheap timberland classic bootskids timberland bootsTimberland
    timberland boot
    Timberland Bootstimberland boots cheaptimberland boots for cheap
    timberland boots for kids
    timberland boots for men
    timberland boots for saletimberland boots for women
    timberland boots men
    timberland boots on sale
    timberland boots uk
    Timberland ClassicTimberland Mens 6 InchTimberland Mens ChukkaTimberland Mens Customtimberland shoes
    timberland uk
    timberland women boots
    Timberland Work Boots
    Flag comment  |  Permalink Reply
    Anonymous 2 years ago
    Since OpenSSH 4.9 (or OpenSSH 4.8 - OpenBSD 4.3 only)It's called "internal-sftp" command.(I've made a short "historical" note on this: http://zhmark.livejournal.com/1167.html)
    Flag comment  |  Permalink Reply
    sherwool
    sherwool 2 years ago
    Anonymous- Don't think there is a way, with sftp-only, to let a user change his password. However, I think the following would accomplish want you want to do, as long as you have access to the keys (I have not actually tried it). But OpenSSH allows the sysadmin to restrict the commands a user has access to. So I think you can alter the authorized_keys file to say something like the following:command="/usr/sbin/passwd" ssh-rsa XXXXXX...When the user ssh's into the machine, all he or she can do is run the passwd command. Unfortunately, if he tries to run another command, it will respond with the passwd prompt, which is probably undesirable, but as best I know that's the way it is.
    Flag comment  |  Permalink Reply
    Anonymous 2 years ago
    We use this solution at on our solaris boxes. The problem is, that the users can't change their own password.Do you have maybe a tipp for it?
    Flag comment  |  Permalink Reply

      Add a comment

      Post a comment using one of these accounts
      Or join now
      At least 6 characters

      Note: Comment will appear soon after you have activated your account.
      Obscene/spam comments will be removed and accounts suspended.
      The information you submit is subject to our Privacy Policy and Terms of Service.

      ITworld LIVE

      Answers - Powered by ITworld

      ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

      Join Now

      New questions

      How well does facial recognition work for device security?
      3 answers
      What are the best tools for speeding up a website?
      0 answers
      What type of enterprise user is going to use Ubuntu Business Desktop Remix?
      1 answer
      How much will the security flaws in Google Wallet set back the transition to "digital wallets"?
      2 answers
      What can be done to control noise levels in data centers?
      1 answer
      View more questions

      Ask a question

      Join Now or Sign In to ask a question.
      Ask a Question