chroot accounts with sftp access

fusi0n · #1 2nd November 2006, 11:06 PM

Hi,

I have search high and low and I have not been able to find a solution tha works for me so I thought I would try you guys

I have a web server running FC4 and vsftpd with all the updates done. I want to be able to lock users with sftp access in there home dirs. So far I am only able to do this with ftp and it works like a charm. Although when I allow the users sftp access they are able to browse right up to the root folder. Also, is there a way to allow sftp without allowin ssh into the box for that account?

Thanks in advance for any help, And I apologize if I missed a post somewhere on this but I have come up empty handed over the last few days of playing with this and trying to get it to work.

jhetrick62 · #2 3rd November 2006, 12:32 AM

Sftp by definition is:

DESCRIPTION

sftp is an interactive file transfer program, similar to ftp, which performs all operations over an encrypted ssh(1) transport. It may also use many features of ssh, such as public key authentication and compres- sion. sftp connects and logs into the specified host, then enters an interactive command mode.

So, no it won't work without ssh accesss which by it's very nature is meant to allow a user to use the box as if they were sitting there, but through a completely encrytped tunnel. Sftp allows them to transfer files inside of the tunnel thus their passwords never get passed in an un-encrytped state and all information is transferred in the encrypted mode.

Why would you want to allow a standard user that access?

Jeff

fusi0n · #3 3rd November 2006, 01:05 AM

fair enough. I was aware of this but just wanted to see if there was a way around it. I want to allow this access as there is only one person who connects to this server besides me (the admin) the other is the webmaster (user in question) He is transfering files that are generated by a piece of software and it produces around 2000 files for updates to a certain section of the website. Everytime he tries to update this using plain ftp it hangs and various other problems. This does not happen at all with sftp so I felt it is a solution to get the webmaster off my case. Now, the question remains, how to I stop him from getting out of his home directory and browsing the rest of the server with sftp? I only want him to ssh and sftp into his home directory which is where all the websites are... he tends to play and causes me grief so if he can only look and mess with his files it will save me many headaches.

pdb · #4 10th November 2006, 02:03 AM

Never used it, but found this:
http://chrootssh.sourceforge.net

Looks like what you are wanting to do