Working with Linux howtos

• Working with RPM
• Package Management Made Easy With Apt
• Moving files around: Setting up FTP
• SCP: an FTP alternative
• SFTP: Easy jailed accounts
• Backup FTP server: offsite backups that you control
• Automated incremental backups: Script to automate backups using SSHFS and rdiff-backup
• Backups with rSync
• Automated backups with RSync
• Load balancing and failover
• Accurate time with NTP
• Setting a UTC timezone
• Changing a hostname
• Application environment setup (using bash profiles)
• Using find and xargs
• Setting up disk quotas
• Working with Bash aliases

Simple SFTP jails

Each RimuHosting server comes with SSH, SFTP and SCP (a Secure Copy Program) using OpenSSH. You can use SFTP instead of FTP and that uses all the existing account systems on your server, plus you gain properly secured connections rather than relying on ftp connections which send passwords in clear text.

In some cases you may wish to allow limited logins, for example for site developers that can see, change and modify files in a specific directory, but should not see any files on the rest of the server. You can enable this as follows...

To start with log in to your server, you will need root/superuser access there.

Edit the file /etc/ssh/sshd_config and look for the line near the end that starts with "Subsystem sftp". Change that to look like the following block, and move that to the very end of the file.

# setup an sftp server
  Subsystem sftp internal-sftp
  # the following settings override the defaults for the Matched user group
  Match group sftponly
    # The home directory.  All components of the directory must be root-owned directories that are not writable by any other user or group.
    ChrootDirectory %h
    # disable some features
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

If you want those users to have access to files outside their home folder remove the ChrootDirectory line from the above. You can add other Match sections for different user groups, for example if you need to have jailed and non-jailed users.

Next up add the usergroup defined in the above configuration..

addgroup sftponly

Restart the ssh daemon for you changes to take effect. This should not break existing ssh connections. Under Debian/Ubuntu do /etc/init.d/ssh restart, or in CentOS do /etc/init.d/sshd restart.

Enabling jails for existing users

Add existing accounts to that sftponly group.

usermod -G sftponly existinguser
chown root:root /home/existinguser
chmod u=rwx,g=rx,o=rx /home/existinguser

Note that will prevent those users from gaining a regular shell, instead sometimes it is better to create a new user account especially for sftp...

The /home/existinguser directory will not be writable by that user.  They will only have access to sub-directories you create to which they have write permissions.

Enabling jails for new users

This is similar to the above method, with the added step of creating a new user account for the jail. For example you may wish to do this for website folders, however note you will need to resolve differences in permissions between the web server and the user account. This can be non-trivial if you have a more complex setup (eg using suexec in apache). So keep in mind you may need a bit more time to set it up correctly. If you are seeing problems keep an eye on your server logs for clues.

# create a directory
mkdir -p /var/www/mysite
# create the newusername user, put then in the sftponly group, do not let them log in
useradd --shell /bin/false --home /var/www/mysite -M --gid sftponly newusername
# set a password
passwd newusername
# make that directory root writeable only
chown root:root /var/www/mysite
chmod u=rwx,g=rx,o=rx /var/www/mysite
# create a directory to which they can upload files
mkdir /var/www/mysite/html
chown newusername:sftponly /var/www/mysite/html

The /var/www/mysite directory will not be writable by that user.  They will only have access to sub-directories you create to which they have write permissions.

You will need to set the permissions on that parent directory and any subfolders as shown so that the sftp user can work with files in there. Or tighten those if you do not want them changed. Be careful with folder permissions further up, those will also need to be relaxed in the same way

Further notes

Be aware that sftp jails are different from full shell enabled chroot jails, after logging in to that account you will only have access to ftp style commands supplied by sftp itself. If you need a full chroot jail that is very different.

Some more complex examples of configuring sftp can be seen at http://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP or in our own post using JailKit/chroots at https://blog.rimuhosting.com/2022/12/01/jailkit-chroots/

If you are using a non Linux workstation to connect to your server, or simply do not wish to use the command line there are a lot of applications available now that provide drag'n drop interfaces that support sftp. One popular example is FileZilla.