Question

Setup a secondary SSH/SFTP user with limited directory access.

Posted January 15, 2015 29.9k views

I am trying to create a new secondary user that has access to SFTP files and SSH access to a specific directory.

I have the SFTP work, but when I try to login via SSH, I get the following error: Write failed: Broken pipe

The root user uses a public/private key, but I want the secondary user to use a password.

Here is what I have so far:

useradd test
passwd test
usermod -G www-data test
usermod -d /usr/share/nginx/html test
chown test:www-data /usr/share/nginx/html

As for additions to my sshd_config:

AllowUsers test

Match User test
        ChrootDirectory /usr/share/nginx/html
        PasswordAuthentication yes
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

All I have left todo is to get the test user to be able access the CLI in their home directory to run composer and artisan commands.

Add a comment
chris.atlchris
By:
chris.atlchris
Add a comment
3 comments
  • sierracircle January 16, 2015
    Reply Report

    when you ssh in, you can add -v which will give you verbose output (helps figure out the problem)

    ssh -v test@yourdomain.com
  • bitcoder January 16, 2015
    Reply Report

    Directory /usr/share/nginx/html must be owned by root and content into this directory must belong to test:www-data. Or you gonna get an ssh error: fatal: bad ownership or modes for chroot directory component

    So we need to execute:

    chown root:root /usr/share/nginx/html
chown test:www-data /usr/share/nginx/html/*
  • mike85 December 4, 2015
    Reply Report

    I followed these instructions but can’t login with:

    ssh test@xxx.xxx.xxx.xxx

    The error message says the following:
    Could not chdir to home directory /usr/share/nginx/html: No such file or directory
    This service allows sftp connections only.
    Connection to xxx.xxx.xxx.xxx closed.

    Does anyone know how to fix that?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
5 answers
relativeparallax April 12, 2016

By adding ForceCommand internal-sftp you block any access the user would have to any form of CLI, shell or terminal session. In fact, you’ll even ban SCP usage in favor of only sFTP.

If your run sftp test@xxx.xxx.xxx.xxx you will currently be able to list files and navigate the chroot jail and depending on permissions, read or read and write.

Does your user need a direct she’ll or is sFTP sufficient?

Reply Report
mike85 April 18, 2016

I wanted to create a user with sftp access to a specific folder and access to a chrooted environment. How is it possible to create such a chrooted setup?

Reply Report
pushstudio November 22, 2016

I’ve run those scripts buy when I try to log, I get:

myuser:~ titi# sftp testUser44@domainlalala.com
The authenticity of host ‘domainlalala.com (210.10.111.31)’ can’t be established.
ECDSA key fingerprint is SHA256:gF2gtBdaBGE2wS5doknd+HimlFmjHYKNO+m192iuv6w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'domainlalala.com’ (ECDSA) to the list of known hosts.
Permission denied (publickey).
Connection closed

I’m missing the certificate creation or something like this?

Reply Report
virtualexx July 9, 2017

I executed

useradd test
passwd test
usermod -G www-data test
usermod -d /usr/share/nginx/html test
chown test:www-data /usr/share/nginx/html/*

sshd_config:

AllowUsers test
Match User test
        ChrootDirectory /usr/share/nginx/html
        PasswordAuthentication yes
        X11Forwarding no
        AllowTcpForwarding no

sudo systemctl restart ssh

And the new user still can navigate to any folder outside /usr/share/nginx/html

Reply Report
raul.recinosm November 10, 2017

On RHEL dont work :(

Reply Report
Submit an Answer

Looking for something else?

Ask a new question Search for more help