I followed the following instructions. This is Scientific Linux 6.1 ver. including trial and error.
http://solderintheveins.co.uk/2011/03/ubuntu-sftp-only-account-how-to/
http://solderintheveins.co.uk/2011/03/ubuntu-sftp-only-account-how-to/
| # cat /etc/redhat-release Scientific Linux release 6.1 (Carbon) # rpm -qa | grep openssh-server openssh-server-5.3p1-52.el6.i686 |
add the group for sftp
| # groupadd sftponly |
add the user for sftp
| # useradd -d /home/test1 -s /usr/libexec/openssh/sftp-server -M -N -g sftponly test1 |
-d, --home HOME_DIR
-s --shell SHELL
-M
Do no create the user´s home directory, even if the system wide setting from /etc/login.defs (CREATE_HOME) is set to yes.
-N, --no-user-group
Do not create a group with the same name as the user, but add the
user to the group specified by the -g option or by the GROUP
variable in /etc/default/useradd.
configure the password
| # passwd test1 |
make the test1’s home directory
| # mkdir -p /home/test1 /home/test1/.ssh # chown test1:sftponly /home/test1 /home/test1/.ssh/ # chmod 700 /home/test1/.ssh/ |
generate the ssh key for test1 under /home/test/.ssh directory
| # cd /home/test1/.ssh/ # sudo -u test1 ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/test1/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/test1/.ssh/id_rsa. Your public key has been saved in /home/test1/.ssh/id_rsa.pub. # ls /home/test1/.ssh/ id_rsa id_rsa.pub # mv id_rsa.pub authorized_keys # chown test1:sftponly * |
add “/usr/libexec/openssh/sftp-server” in /etc/shells file at the bottom.
| # tail -1 /etc/shells /usr/libexec/openssh/sftp-server |
configure /etc/ssh/sshd_conf
| # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server Match group sftponly ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand /usr/libexec/openssh/sftp-server |
restart SSH daemon
| # /etc/init.d/sshd restart |
Let’s try. nnn , error.
| # sftp test1@1.1.1.1 Connecting to 1.1.1.1... test1@1.1.1.1's password: Read from remote host 1.1.1.1: Connection reset by peer Couldn't read packet: Connection reset by peer |
change the owner of /home/test1 directory.
http://www.debian-administration.org/articles/590
| # chown root.root /home/test1 |
try again. error
| # sftp test1@1.1.1.1 Connecting to 1.1.1.1... test1@1.1.1.1's password: Request for subsystem 'sftp' failed on channel 0 Couldn't read packet: Connection reset by peer |
how about this ?
| # chmod 755 /usr/local/libexec |
try again…. nnnn error
| # sftp test1@1.1.1.1 Connecting to 1.1.1.1... test1@1.1.1.1's password: Request for subsystem 'sftp' failed on channel 0 Couldn't read packet: Connection reset by peer |
how about this ? ( sshd_conf )
| #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp Match group sftponly ChrootDirectory %h X11Forwarding no AllowTcpForwarding no # ForceCommand /usr/libexec/openssh/sftp-server ForceCommand internal-sftp |
try again. success :D
| # sftp test1@1.1.1.1 Connecting to 1.1.1.1... test1@1.1.1.1's password: sftp> ls hello.txt sftp> get hello.txt Fetching /hello.txt to hello.txt /hello.txt 100% 6 0.0KB/s 00:00 sftp> bye # cat hello.txt hello |
Remote working directory: /
ReplyDeletelogs on but the default remote dir is / thus cant do anything..
any ideas.