Users can connect on the SSH port, but not have traditional unfettered access to the server.
Not something I do regularly, so no reason to script.
Now, set an environment variable that can be reused through multiple commands.
Run the following via CLI:
JAILDIR=/home/usernametocreate
The following will allow chroot to the user's directory and subsequent components; it has to be owned by root and un-writable to any other (non-root) user or group:
chown root:root $JAILDIR
chmod 0755 $JAILDIR
Confirm setup, so far, like so:
ls -ld $JAILDIR
Gives output like:
drwxr-xr-x 3 root root 4096 Apr 7 19:45 /home/usernametocreate
If they only need sftp for uploading of files and nothing else -- skip.
Explanation of flags:
-m
- Permission bitsc
- character filemkdir -p $JAILDIR/dev/
mknod -m 666 $JAILDIR/dev/null c 1 3
mknod -m 666 $JAILDIR/dev/tty c 5 0
mknod -m 666 $JAILDIR/dev/zero c 1 5
mknod -m 666 $JAILDIR/dev/random c 1 8
Give them bash and password change capabilities (maybe, depending on use case):
mkdir -p $JAILDIR/bin
ln -s /bin/bash $JAILDIR/bin/bash
mkdir $JAILDIR/etc
Modify /etc/ssh/sshd_config
Append the following (for a particular user; adjustment required to whitelist groups instead of individual users)
This user is only allowed in the specified ChrootDirectory
and nested directories
# jailed user - indentation doesnt matter except for readability
Match User usernametocreate
# allow passwords
PasswordAuthentication yes
# jailed user destination
ChrootDirectory /home/usernametocreate
# allow sftp login
ForceCommand internal-sftp
Match all
Note: The user won't be able to write to /home/usernametocreate
as-is, I want them to write to something else, like web
Create the writable directory for usernametocreate
:
mkdir $JAILDIR/web
chmod -R 0700 $JAILDIR/web
That's it!
If the user uses Linux desktop, they can connect using almost any file manager, no additional software necessary. (File > Connect to server, on most distros)
Mac and Windows probably require a SFTP client.
Connection example:
example.com
your custom SSH port
SSH
/
usernametocreate
[send the password via a secure channel, like a password manager]
And block everyone else.
/etc/csf/csf.allow
bash
tcp|in|d=22|s=127.0.0.1
/etc/csf/csf.conf
completelyd=
should be the custom ssh port in use; specified in /etc/ssh/sshd_config
s=
should be the user's public-facing IPcsf -r
to reload firewall rules, after saving