Allow SFTP but prevent SSH Shell Access CentOS 6

Quick guide to configure SFTP access but prevent SSH logins.

A standard CentOS install already configured with openssh-server package (and its dependancies) is all we need to get started.

[box type="info"] Just note that this document assumes CentOS 6 for all example code and references. Syntax, file locations and codes may vary based on your distribution.[/box]

Scenario

You’ve got a specific user which only requires encrypted access to the files of their hosted web site. However we don’t want the user to be able to see or access any other user or system data on the server (chroot or jail).

Step 1: Configure SSH

We’ll need to open up /etc/ssh/sshd_config file and make a few adjustments.

You’ll need to look for the following line:

And you’ll want to comment out that line and add some additional information below.

Save and close sshd_config file to complete that step. Also note you’ll need to restart the sshd service before the settings will take affect.

Step 2: Directory Structure & Permissions

Lets setup the correct directory structure and file system security.

Just a quick note regarding the ChrootDirectory value. As you can see I’ve used /var/www/andrew however this is not the document root of the website. There is a subfolder called webroot (/var/www/andrew/webroot) which is where the user would store all their web documents. I’ve found that you’ll get unexpected results if you try drop the user directly into a directory in which they have owner/group permissions.

So we chroot the user to /var/www/andrew, however we don’t give the user andrew access other than read and execute permissions on that directory.

To configure the above permissions run:

Now lets look at the file permissions of the actual webroot folder (this is where the users working web documents would be stored).

To configure the above settings run:

Step 3: Modify the Users Shell

The final step to making it all work, is to configure a specific SFTP shell that prevents the user from doing anything other than SFTP. It’s as simple as running the following command:

…. and that’s it!!

Now when the user connects with SFTP, they will be dropped into the root of /var/www/andrew and not be able to see or access any other directories below this location. The user will also see the webroot directory which they have full read/write access to.

[author] [author_image timthumb='on']http://mcdee.com.au/wp-content/uploads/2012/11/photo.jpg[/author_image] [author_info]Andrew McDonald is an IT Systems Admin and all round technology junkie. Absolutely a jack-of-all-trades and not one to shy away from a challenge.


[/author_info] [/author]

  5 comments

  1. Reznoir   •  

    Thank you very much for this great tutorial!
    Works fine with AWS and the Amazon Linux Image!

  2. kamil   •  

    Thanks you very much … Super…

  3. Steve   •  

    with this configuration it s not working, cut both ssh, and sftp connection.

  4. suman   •  

    I do as you given steps. but the user can access all reaming directories. so how can i restrict the access reamaing folders. help me yaar

  5. BeavisW   •  

    mcdee.com.au has potential, you can make your blog go viral easily using one tricky method. Just type in google:
    Kimting’s Method To Go Viral

Leave a Reply to kamil Cancel reply

Your email address will not be published. Required fields are marked *


× 8 = seventy two

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">