Setup a secondary SSH/SFTP user with limited directory access.

January 15, 2015 26.8k views
chris.atlchris
By:
chris.atlchris

I am trying to create a new secondary user that has access to SFTP files and SSH access to a specific directory.

I have the SFTP work, but when I try to login via SSH, I get the following error: Write failed: Broken pipe

The root user uses a public/private key, but I want the secondary user to use a password.

Here is what I have so far:

useradd test
passwd test
usermod -G www-data test
usermod -d /usr/share/nginx/html test
chown test:www-data /usr/share/nginx/html

As for additions to my sshd_config:

AllowUsers test

Match User test
        ChrootDirectory /usr/share/nginx/html
        PasswordAuthentication yes
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

All I have left todo is to get the test user to be able access the CLI in their home directory to run composer and artisan commands.

3 comments
  • sierracircle January 16, 2015

    when you ssh in, you can add -v which will give you verbose output (helps figure out the problem)

    ssh -v test@yourdomain.com
  • bitcoder January 16, 2015

    Directory /usr/share/nginx/html must be owned by root and content into this directory must belong to test:www-data. Or you gonna get an ssh error: fatal: bad ownership or modes for chroot directory component

    So we need to execute:

    chown root:root /usr/share/nginx/html
chown test:www-data /usr/share/nginx/html/*
  • mike85 December 4, 2015

    I followed these instructions but can’t login with:

    ssh test@xxx.xxx.xxx.xxx

    The error message says the following:
    Could not chdir to home directory /usr/share/nginx/html: No such file or directory
    This service allows sftp connections only.
    Connection to xxx.xxx.xxx.xxx closed.

    Does anyone know how to fix that?

Log In to Comment
5 Answers
relativeparallax April 12, 2016

By adding ForceCommand internal-sftp you block any access the user would have to any form of CLI, shell or terminal session. In fact, you'll even ban SCP usage in favor of only sFTP.

If your run sftp test@xxx.xxx.xxx.xxx you will currently be able to list files and navigate the chroot jail and depending on permissions, read or read and write.

Does your user need a direct she'll or is sFTP sufficient?

Reply
mike85 April 18, 2016

I wanted to create a user with sftp access to a specific folder and access to a chrooted environment. How is it possible to create such a chrooted setup?

Reply
pushstudio November 22, 2016

I've run those scripts buy when I try to log, I get:

myuser:~ titi# sftp testUser44@domainlalala.com
The authenticity of host 'domainlalala.com (210.10.111.31)' can't be established.
ECDSA key fingerprint is SHA256:gF2gtBdaBGE2wS5doknd+HimlFmjHYKNO+m192iuv6w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'domainlalala.com' (ECDSA) to the list of known hosts.
Permission denied (publickey).
Connection closed

I'm missing the certificate creation or something like this?

Reply
virtualexx July 9, 2017

I executed

useradd test
passwd test
usermod -G www-data test
usermod -d /usr/share/nginx/html test
chown test:www-data /usr/share/nginx/html/*

sshd_config:

AllowUsers test
Match User test
        ChrootDirectory /usr/share/nginx/html
        PasswordAuthentication yes
        X11Forwarding no
        AllowTcpForwarding no

sudo systemctl restart ssh

And the new user still can navigate to any folder outside /usr/share/nginx/html

Reply
raul.recinosm November 10, 2017

On RHEL dont work :(

Reply
Have another answer? Share your knowledge.