Create a user that can only connect to a specific directory

Question

I've created a SSH folder for some friends. I've created the users to log in via SSH, but they connect to ~ how can I set to which folder they can connect?

I have a directory called /usbdrv/ which point to my usb Drive.

PS: They can't go then in the parent directory.

Should they be able to execute commands on your machine, or only to transfer files? — Gilles 'SO- stop being evil', Apr 07 '14 at 18:23

score 1 · Answer 1 · edited May 23 '17 at 12:40

Unless you created the users specifically without a home directory, the standard directories are created under /home/username. The ~ directory is just a link to the appropriate /home/username location of the current shell or ssh user.

For example the command cd ~ will send you to different places if executed as root or as a named user.

You can specify user's home directories during user creation or move them to a different home directory. To change the current home directory for a user execute the following as root:

usermod -m -d /path/to/new/home/dir username

Just be sure you have the correct ownership and permissions on the new directory structure.

You could alternately just change the default ssh directory. But you probably want to move the home directories as that seems more secure IMHO.

This account will still be able to traverse the whole filesystem. — Gilles 'SO- stop being evil', Apr 07 '14 at 18:22
If you want to restrict the ssh users to their home directories you can jail them in their home directories. — 111---, Apr 07 '14 at 18:27

score 1 · Accepted Answer · edited Apr 13 '17 at 12:36

Setting a user's home directory only determines the directory where they are by default. Users can see the rest of the filesystem.

If you want an account to be restricted to file transfer and to only have access to a specific directory tree, you need to “jail” that user. This is supported natively by OpenSSH; for example, if you put those friends (and only them) in the friends group:

Match Group friends
ForceCommand internal-sftp
ChrootDirectory %h
#AuthorizedKeysFile /etc/sshd/friends/%u.authorized_keys

The ChrootDirectory confines these users to their home directory. If they all have the same home directory, they'll all be able to use the same SSH keys, which may not be what you want. Uncomment the AuthorizedKeysFile line if you don't want these users to be able to upload their own authorized keys.

If you want to treat these users independently from an authentication point of view, don't want them to be able to manipulate their keys, and want to give them all access to the same directory tree, then you can set a particular directory instead:

Match Group friends
ForceCommand internal-sftp
ChrootDirectory /pub

If you want to give these users access to multiple parts of the filesystem, you can make a combined view using a bind mount.

ForceCommand internal-sftp restricts these users to SFTP access (e.g. with Filezilla or over SSHFS). If you want to allow other methods such as rsync, you need a fancier configuration, e.g. using rssh (read the CHROOT guide).

Create a user that can only connect to a specific directory

2 Answers2