Originally Posted by
Nil_Pointer
As for SFTP, it's cool, but you need to lock users to their home directories and lock them out from using shell commands. In fact, I'd be interested in doing that to replace FTP.
You don't need to do that but it is very, very easy if you decide you want to. It's a matter of changing a few lines in the configuration file for openssh-server.
Set the sftp subsystem to use the built-in one.
Code:
Subsystem sftp internal-sftp
Then specify a group of users to restrict to sftp
Code:
Match group sftponly
ForceCommand internal-sftp
That locks any users in the group sftponly into only being able to use SFTP and not the shell. Usually this is enough to make everyone happy. Make sure you are not in the group or you will get locked out of the shell.
If you want to chroot, that's two more lines to the config file, but then there is one gotcha: the chroot target has to be owned by root.
Bookmarks