9

I'd like to give temporary SFTP access to a support guy. How do I create an SFTP user? And how can I delete it once the job is done?

Also, how do I specify a home directory for them? Can I prevent them from accessing certain subdirectories within their home directory?

We use CentOS 6.3 and fzSftp

OC2PS
  • 193
  • It depends on your configuration providing us your config file could help. – Kiwy Jan 23 '14 at 13:48
  • What particular settings should I post? – OC2PS Jan 23 '14 at 13:49
  • the one of you ftp deamon – Kiwy Jan 23 '14 at 13:51
  • Are you sure you want FTP or SFTP? The reason I ask is that you listed fzsftp (filezilla sftp) which is the client that Filezilla uses for SFTP connections. – slm Jan 23 '14 at 14:08
  • Ah! I connected via FileZilla to SFTP, hence listed fzsftp...thought this was my server. SFTP would be fine, if you can help me with that. Thanks! – OC2PS Jan 23 '14 at 14:15

1 Answers1

14

Non-chroot access

If you don't have a FTP server setup, and you trust the user that will be logging in, not to go poking around your server too much, I'd be inclined to give them an account to SFTP into the system instead.

The CentOS wiki maintains a simple howto titled: Simple SFTP setup that makes this pretty pain free.

I say it's pain free because you literally just have to make the account and make sure that the firewall allows SSH traffic, make sure SSH the service is running, and you're pretty much done.

If sshd isn't already running:

$ /etc/init.d/sshd start

To add a user:

$ sudo useradd userX
$ sudo passwd userX
... set the password ...

When you're done with the account:

$ sudo userdel -r userX

Chroot access

If on the other hand you want to limit this user to a designated directory, the SFTP server included with SSH (openssh) provides a configuration that makes this easy to enable too. It's a bit more work but not too much. The steps are covered here in this tutorial titled: How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH).

Make these changes to your /etc/ssh/sshd_config file.

Subsystem       sftp    internal-sftp

## You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

Match Group sftpusers
  ChrootDirectory /sftp/%u
  ForceCommand internal-sftp

Now you'll need to make the chrooted directory tree where this user will get locked into.

$ sudo mkdir -p /sftp/userX/{incoming,outgoing}
$ sudo chown guestuser:sftpusers /sftp/guestuser/{incoming,outgoing}

Permissions should look like the following:

$ ls -ld /sftp/guestuser/{incoming,outgoing}
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/outgoing

The top level directories like this:

$ ls -ld /sftp /sftp/guestuser
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser

Don't forget to restart the sshd server:

$ sudo service sshd restart

Now create the userX account:

$ sudo useradd -g sftpusers -d /incoming -s /sbin/nologin userX
$ sudo passwd userX
... set password ...

You can check that the account was created correctly:

$ grep userX /etc/passwd
userX:x:500:500::/incoming:/sbin/nologin

When you're done with the account, delete it in the same way above:

$ sudo userdel -r userX

...and don't forget to remove the configuration file changes we made above, then restart sshd to make them active once more.

slm
  • 369,824
  • Nice! How can I restrict the user to a particular directory, and prevent the user from accessing a couple of subdirectories within that directory? – OC2PS Jan 23 '14 at 14:28
  • bind the user inside its home folder and add symbolic link inside to the different directories you want to allow – Kiwy Jan 23 '14 at 14:51
  • @OC2PS - the above shows one method of chroot'ing the users, you can also chroot them to their home directory too. I generally break these users out into a designated area so that it's obvious when I look through /home/... who is really a user on a system. Though I run an actual SFTP server for work so my needs are slightly different. – slm Jan 23 '14 at 14:59
  • When I do sudo useradd -D userX, I get Usage: useradd [options] LOGIN – OC2PS Jan 23 '14 at 15:32
  • @OC2PS try useradd userX. Sorry I misread the man page for useradd. – slm Jan 23 '14 at 15:51
  • I guess guestuser should always be userX, right? And the user should be created before the directory, right? – Blaisorblade Sep 21 '15 at 12:50
  • I am getting [root@localhost ~]# chown macrouser:sftpusers /sftp/macrouser/{incoming,outgoing} chown: cannot access â/sftp/macrouser/incomingâ: No such file or directory chown: cannot access â/sftp/macrouser/outgoingâ: No such file or directory. Of course I added the user macrouser and the group according to that guide. grep macrouser /etc/passwd macrouser:x:1003:1003::/incoming:/sbin/nologin any idea? – Pikk Mar 02 '17 at 08:06
  • @pikk those extra characters in the path "cannot access ..." Look like your issue. – slm Mar 02 '17 at 12:12
  • There were not extra characters. Only spaces. I even deleted those spaces and added them back with the spacebar. Same issue. Issue resolved creating this folder – Pikk Mar 02 '17 at 13:42