Answer the question
In order to leave comments, you need to log in
R
R
RabIN2019-02-05 19:37:57
RabIN, 2019-02-05 19:37:57
How to open access to a user to a specific folder via sftp?
there is a folder
/var/www/site
it belongs to the user site:site
created a new user as root,
configured the config:
/etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match User manager_user
ChrootDirectory /var/www/site/data/www/site.ru/upload/images_person
ForceCommand internal-sftpSaved, entered the commands in the console:
systemctl stop httpd
systemctl start httpdAdded manager_user to the site group
When accessing via stfp, it says that authentication failed...
LOG:
Feb 5 17:15:47 site sshd[17844]: Accepted password for manager_user from ip port 30517 ssh2
Feb 5 17:15:47 site sshd[17844]: pam_unix(sshd:session): session opened for user manager_user by (uid=0)
Feb 5 17:15:47 site sshd[17844]: fatal: bad ownership or modes for chroot directory component "/var/www/site/" [postauth]I'm not going to change the permissions on the folder, the /var/www/site folder should remain with site.
The user should only browse the folder, not going above the directory.
/var/www/site/data/www/site.ru/upload/images_person
2 answer(s)
@RabIN
ChrootDirectory is the parent directory of the folder we want to access via SFTP. In this example, the chroot directory is used, which is located in the user folder. If access via SSH is configured on your server only through a key file, and you need to make it possible to log in with a
password, then add the following:
this article.
After completing all the manipulations with the SSH server, you need to restart it:
Setting up directories for the SFTP user We go
to the directory
Set the necessary rights to the folder:
Attention! In no case should you set ChrootDirectory to any other rights, in which case the following error will pop up: fatal: bad ownership or modes for chroot directory component.
Now let's imagine that we need to provide access to several folders, and they all lie outside the ChrootDirectory. The way out is as follows:
Let's say we need to allow access to the
Now let's mount the directory to which we need to provide access to this folder:
We set the rights necessary for editing for our directory
If something went wrong during the process of mounting the directory, then you can remove the mounting with the unmount command:
This completes the SFTP server setup.
Common mistakes
@gena-bobkov
L
Luka, 2019-02-06 @RabIN
Here is a little info
. Create a new user:
-m - indicates the need to create the user's home directory in the /home directory;
-s - Specifies the user's shell - /sbin/nologinPrevents the user from using the shell.
crazyadmin - username
Set a password for the created user:
If something went wrong, you can always delete the user with the userdel username command, for example:
And create a chroot folder for the new user, its purpose will be described below.
Setting up the SSH server
Now we go to the SSH config - We are /etc/ssh/sshd_config
looking for the following line:
and change to
Now we go to the very end of the config, and add there:
Match User crazyadmin
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
PermitTunnel no
ForceCommand internal-sftp
ChrootDirectory %h/chrootChrootDirectory is the parent directory of the folder we want to access via SFTP. In this example, the chroot directory is used, which is located in the user folder. If access via SSH is configured on your server only through a key file, and you need to make it possible to log in with a
password, then add the following:
this article.
After completing all the manipulations with the SSH server, you need to restart it:
Setting up directories for the SFTP user We go
to the directory
/homeand look for the folder of the newly created user, and in it the chroot folder. Set it to be owned by the root user:Set the necessary rights to the folder:
Attention! In no case should you set ChrootDirectory to any other rights, in which case the following error will pop up: fatal: bad ownership or modes for chroot directory component.
Now let's imagine that we need to provide access to several folders, and they all lie outside the ChrootDirectory. The way out is as follows:
Let's say we need to allow access to the
/var/www/sysadmin.ru. /home/crazyadminCreate a folder called sysadmin.ru in the user's home directory . Now let's mount the directory to which we need to provide access to this folder:
We set the rights necessary for editing for our directory
/var/www/sysadmin.ru:chmod 777 /var/www/sysadmin.ru
find /var/www/sysadmin.ru -type f -exec chmod 664 {} +
find /var/www/sysadmin.ru -type d -exec chmod 777 {} +If something went wrong during the process of mounting the directory, then you can remove the mounting with the unmount command:
This completes the SFTP server setup.
Common mistakes
fatal: bad ownership or modes for chroot directory componentNo supported authentication methods available (server sent public key)/etc/ssh/sshd_configyou need to change the value of the PasswordAuthentication variable from no to yes, and then restart the server with the commandservice ssh restart.
G
gena-bobkov, 2019-04-06 @gena-bobkov
There is also a good instruction here: Adding a new SFTP user to BitrixVM
Similar questions
S
A
F
V
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question