View Single Post
  #4   (View Single Post)  
Old 20th September 2009
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

From what I understand this is what you're looking for:
http://www.minstrel.org.uk/papers/sftp/builtin/

From what I can see, it's basically as simple as adding these lines to the end of /etc/ssh/sshd_config :
Code:
# These lines must appear at the *end* of sshd_config
Match Group sftponly
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no
The syntax is pretty self-explanatory, all users in the group sftponly are chrooted to their home directory and are forced to use sftp -- So they can't use a remote shell.

So with this solution you can even allow certain customers sftp-only access and others (Those paying more? ) full ssh access.

Also please do read the appropriate manpages, mindlessly copy/pasting configuration directives from the internet is a recipe for disaster: sshd_config(5), sftp(1), sftp-server(8)

As a sidenote, I believe jggimi recently mentioned that he used this or a similar solution when he set up an account for me on his server, perhaps he has any additional advice or comments.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote