How to Restrict a User's Access Using SFTP?

Lisa Kachold lisakachold at obnosis.com
Thu Dec 29 08:27:15 MST 2011 

Hi Mark,

No, you cannot use a nologin with scp or ssh.

There are a few restricted shells, most notably rssh (which is in apt-get
for Debian):

http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html
http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html

On Thu, Dec 29, 2011 at 8:04 AM, Mark Phillips
<mark at phillipsmarketing.biz>wrote:

> Eric,
>
> The Debian equivalent to /sbin/nologin appears to be /bin/false. When I
> tried that, I could not sftp or ssh or gain access to the machine in
> anyway. I am not sure if there is another Debian shell that allows sftp but
> not ssh.
>
> Thanks!
>
> Mark
>
> On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <ejs at shubes.net> wrote:
>
>> That should be ok.
>>
>> Be sure you have your ftp server configured such that they cannot access
>> folders above/across their home folder. File permissions may handle this,
>> but probably will not (many things are world readable).
>>
>> Also, be sure that they cannot login to a command prompt by setting their
>> login shell to /sbin/nologin (might vary with distro). This is commonly
>> done for service accounts (apache, etc).
>>
>>
>> On 12/28/2011 03:38 PM, Mark Phillips wrote:
>>
>>> Thanks to everyone for their suggestions. Based on some constraints,
>>> your advice, some googling, I arrived at this set-up, but I am not sure
>>> how secure it is.
>>>
>>> 1. The web creation software (iWeb on a Mac) only supports ftp and sftp
>>> to upload a site.
>>> 2. iWeb does not support the use of "versions" for the web pages. By
>>> that I mean iWeb is strictly one way - create a site and publish it. It
>>> cannot import an iWeb site, it has to start at the beginning. One can
>>> create a site and publish it, then edit the site, and publish again, but
>>> it cannot import or use a previous version of the site as a starting
>>> point. (I mention this because Eric suggested using git, which sounded
>>> like a great idea, but alas
>>>
>>> I have this setup, but I could use some advice on how to make it more
>>> secure....
>>>
>>> 1. User account fred
>>> 2. fred's home is /var/www/domain/fred
>>> 3. /var/www/domain/fred has owner:group fred:fred
>>> 4. Document root is /var/www/domain/fred
>>>
>>> Thanks,
>>>
>>> Mark
>>>
>>> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <ejs at shubes.net
>>> <mailto:ejs at shubes.net>> wrote:
>>>
>>>    On 12/27/2011 10:46 PM, Mark Phillips wrote:
>>>
>>>        I need to give a user access to my web server via sftp to upload
>>> web
>>>        site changes. What is the best way to do this? I have several
>>> other
>>>        sites on the same server, so I want to prevent them or anyone
>>>        else who
>>>        gains access to their account from being able to make changes to
>>>        those
>>>        sites or other parts of the server.
>>>
>>>        Thanks,
>>>
>>>        Mark
>>>
>>>
>>>    I use vsftp, which can be configured to allow users access only to
>>>    their web site's tree. sftp might be able to do the same.
>>>
>>>    Then, create their user such that their home directory is their web
>>>    site's directory, and they cannot log in to the system (only vsftp)
>>>    with an /etc/passwd entry like this:
>>>    vsftpuser:x:511:511::/var/__**vhosts/domain.com/docs:/sbin/_**
>>> _nologin <http://domain.com/docs:/sbin/__nologin>
>>>    <http://domain.com/docs:/sbin/**nologin<http://domain.com/docs:/sbin/nologin>
>>> >
>>>
>>>
>>>    Files in their web site are owned by their user, with read
>>>    permissions for 'other' (o+r), which allows apache (or nginx) to
>>>    read them.
>>>
>>>    --
>>>    -Eric 'shubes'
>>>
>>>
>>>    ------------------------------**__---------------------
>>>    PLUG-discuss mailing list - PLUG-discuss at lists.plug.__phoe**nix.az.us<http://phoenix.az.us>
>>>    <mailto:PLUG-discuss at lists.**plug.phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
>>> >
>>>
>>>    To subscribe, unsubscribe, or to change your mail settings:
>>>    http://lists.PLUG.phoenix.az._**_us/mailman/listinfo/plug-__**discuss
>>>    <http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>>> >
>>>
>>>
>>>
>>
>> --
>> -Eric 'shubes'
>>
>> ------------------------------**---------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.**phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
(602) 791-8002  Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
HomeSmartInternational.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20111229/9462fb04/attachment.html>

More information about the PLUG-discuss mailing list