Multiple secured ftp accounts with separate home directory access using Ubuntu 16, NginX, vsftpd, letsencrypt

October 25, 2016 138 views
Nginx Ubuntu 16.04

I have LEMP environment with Ubuntu 16 Xenial Xerus, NginX. I'm also using letsencrypt to encrypt my sites.
Hyperthetically say I have two developers (myuserA1 & myuserB2) working on two of my sites ( mySiteX1.com, mySiteY2.net ).
myuserA1 working on website mySiteX1.com and
myuserB2 working on website mySiteY2.net
Now
1) I'd like myuserA1 to Access (read, write) only the home directory(and sub folders) of mySiteX1.com, nothing else, so myuserB2 to mySiteY2.net
2) I'd like users to connect with some sort of secure way

I have followed various documentation and ways and couldn't make this right,
earlier
1) I was able to do above with ftp access without encryption
2) I was able to do users to assign each directory with read write access, but also let the users to access root directory (read only) This shouldnt happen.
3) I was able to do users to assign each directory with read only access, This shouldnt happen.

Now I have went through following documentation
https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-an-ubuntu-vps
and done following steps
4) I'm stucked again, this time I cant even login, access denied.
Please help

-> Created a group

groupadd    myGroup

-> add two users

adduser     myuserA1
adduser     myuserB2

-> with password
password123

-> add users to the group

usermod myuserA1 -g myGroup
usermod myuserB2 -g myGroup

-> no shell access?

usermod myuserA1 -s /bin/false
usermod myuserB2 -s /bin/false

->Set the home directory

usermod myuserA1 -d /var/www/mySiteX1.com/html
usermod myuserB2 -d /var/www/mySiteY2.net/html

->

sudo usermod -a -G myGroup myuserA1
sudo usermod -a -G myGroup myuserB2

-> Change owenership

sudo chown -R myuserA1:myGroup /var/www/mySiteX1.com/html
sudo chown -R myuserB2:myGroup /var/www/mySiteY2.net/html

My vsftpd.conf like following- full

listen=NO
listen_ipv6=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem ##? Is this correct?
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ##? Is this correct?
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

My sshd_config looks like follow - part of

UsePAM yes
ClientAliveInterval 120
ClientAliveCountMax 2
Subsystem sftp internal-sftp 
Match Group myGroup
    ChrootDirectory %h
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no
2 comments
  • Its not completely clear to me now what you want and what isn't working. You probably want to chown the root directory /var/www/site1 to root and the html/ to your user.

    Be sure you choose between SFTP and VSFTP. If you want to use the tutorial mentioned above, don't follow the steps you have done here but follow the ones in that tutorial; Don't do both

  • I have tried tutorial

    1) cant save anything (not good)
    2) logged in user can freely browse anywhere upto root (not good)
    3) when initial login user go to home directory (okay)

Be the first one to answer this question.