sftp chroot penguin

Allow only sftp without ssh and also chroot the penguin [Poor Kowalski]

Hello sftp users

A friend of mine asked me few days ago how to give only one user the rights to use sftp but in the same time not allow him to ssh into the server. Well, the solution is kinda dirty, but it is all we can do. Kind of in the way you see the in fucking cpanel’s home dirs, where you ftp in and you see a bunch of folders like public_html etc. So yeah, we will do something similar.
First we will need to create a sftp only group.

Then we need to modify the user account that we want to restrict to sftp only and apply proper permissions to his home directory.

where ‘username’ is the username your want to restrict.

Now we need to create the actual folders where the user will be able to read/write since right now his home dir is owned by root. So, as i told you, we go the same way as cpanel:

How that we are done with preparation of the user directory, we need to move on to the last step, which is changing the sshd config so all this stuff actually work. We go to /etc/sshd/ and edit sshd_config. Now, by default, sshd comes with the following line uncommented in sshd_config:

We need to change that line or comment it and add a new line that looks like this:

Then, at the end of sshd_config file we need to add the following lines:

The last step is to restart the sshd daemod, and we are good to go. Try and ftp with the user to your server and you will be able to write into the directories created above (uploads dir1 dir2 dir3 etc). If you try to ssh to the server with the same user you will see the following:

You must also know that this setup has several variations. You can play with “Match User” instead of “Match Group” if you don’t want to create a group but only plan to restrict a single user. Hopefully this helped someone. But if you want to be INSANE like me, you can just shutdown the server all together so nobody will be able to hack access it.

Take care !!

Tagged: Tags:

Leave a Reply