The goal of this article is to provide solutions and approaches for a limited shared hosting environment.
Approach 1 - Restricted SFTP Only Access
With this approach, you are only granting the user only access via SFTP to specific directory. Shell access will not be granted.
Enable SFTP Only Shell
There is an sftp shell available which prevents users logging into a normal shell. Register the sftp shell with the operating system,
| Code Block | ||
|---|---|---|
| ||
sudo echo '/usr/lib/sftp-server' >> /etc/shells |
Now any user can be restricted to sftp only access by changing that user's shell,
| Code Block | ||
|---|---|---|
| ||
usermod jolsen -s /usr/lib/sftp-server |
Restrict Folder Access
There are many ways of doing this. We will opt with the simplest approach. Users will be restricted to their set home directories. To easily add and remove users the unix groups will be used.
Modify ssh_config with your favourite editor,
| Code Block | ||
|---|---|---|
| ||
vi /etc/ssh/sshd_config |
Add to the bottom of the file,
| Code Block | ||
|---|---|---|
| ||
Match group sftprestricted
ForceCommand internal-sftp
ChrootDirectory /home/%u
# Optional increased security directives
X11Forwarding no
AllowTcpForwarding no |
In order for this to work, root should own the home folder. By default this is the case with Ubuntu and most *nix systems.
Shell Access
rbash (restricted shell) restricts capabilities available to an interactive user session, or to a shell script, running within it. It provides an additional layer of security for general users only. More advanced users may write programs that can break out of rbash.
Further lock down the system using permissions and or ACLs.
Research
How to configure sftp to lock down directory with groups - http://www.debian-administration.org/articles/590
scponly sounded like a quick easy solution but did not get a good feeling when reading the docs as it sounds complicated - https://github.com/scponly/scponly/wiki